Supress the false positives reported by scorecards

abstractj · abstractj · commit 9bfa4cd13857 · 2025-02-19T16:16:56.000-03:00
Closes #37499

Signed-off-by: Bruno Oliveira da Silva &lt;bruno@abstractj.com&gt;
diff --git a/distribution/maven-plugins/osv-scanner.toml b/distribution/maven-plugins/osv-scanner.toml
@@ -0,0 +1,10 @@
+# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak
+
+# Suppress TestNG alert:
+# - TestNG is brought in as a transitive dependency via groovy-testng.
+# - Test dependencies are not included in the server distribution.
+# - The latest groovy-testng version doesn't address the CVE.
+
+[[IgnoredVulns]]
+id = "GHSA-rc2q-x9mf-w3vf"
+reason = "suppressed because TestNG, a transitive dependency from groovy-testng, isn’t included in the server distribution."
diff --git a/js/osv-scanner.toml b/js/osv-scanner.toml
@@ -0,0 +1,21 @@
+# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak
+
+# Reason
+[[IgnoredVulns]]
+id = "GHSA-9mvj-f7w8-pvh2"
+reason = "reason"
+
+# Reason
+[[IgnoredVulns]]
+id = "GHSA-67mh-4wv8-2f99"
+reason = "reason"
+
+# Reason
+[[IgnoredVulns]]
+id = "GHSA-gxr4-xjj5-5px2"
+reason = "reason"
+
+# Reason
+[[IgnoredVulns]]
+id = "GHSA-jpcq-cgw6-v4j6"
+reason = "reason"
diff --git a/testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml b/testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml
@@ -0,0 +1,19 @@
+# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak
+
+# guava is a test dependency coming from htmlunit3-driver, not shipped with the server distribution. 
+# There are no plans to upgrading it considering the effort and breaking changes.
+[[IgnoredVulns]]
+id = "GHSA-5mg8-w23w-74h3"
+reason = "suppressed because guava, a transitive dependency from htmlunit3-driver, isn’t included in the server distribution."
+
+# guava is a test dependency coming from htmlunit3-driver, not shipped with the server distribution. 
+# There are no plans to upgrading it considering the effort and breaking changes.
+[[IgnoredVulns]]
+id = "GHSA-7g45-4rm6-3mm3"
+reason = "suppressed because guava, a transitive dependency from htmlunit3-driver, isn’t included in the server distribution."
+
+# commons-io is a test dependency coming from htmlunit, not shipped with the server distribution. 
+# There are no plans to upgrading it considering the effort and breaking changes.
+[[IgnoredVulns]]
+id = "GHSA-78wr-2p64-hpwj"
+reason = "suppressed because commons-io, a transitive dependency from htmlunit, isn’t included in the server distribution."
