From 05361fcaa621c81b810acff65bf46e3494c139b2 Mon Sep 17 00:00:00 2001 From: jamie-albert Date: Fri, 7 Nov 2025 19:02:13 +0000 Subject: [PATCH] adding false positive for advisory without matching upstream data --- keycloak-26.4.advisories.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/keycloak-26.4.advisories.yaml b/keycloak-26.4.advisories.yaml index a4505913c9..ff6a9c958e 100644 --- a/keycloak-26.4.advisories.yaml +++ b/keycloak-26.4.advisories.yaml @@ -146,6 +146,11 @@ advisories: componentType: java-archive componentLocation: /opt/iamguarded/keycloak/lib/lib/main/com.microsoft.sqlserver.mssql-jdbc-10.2.4.jre11.jar scanner: grype + - timestamp: 2025-11-07T19:00:55Z + type: false-positive-determination + data: + type: vulnerable-code-not-included-in-package + note: 'The affected component’s suffix is non-standard for Maven parsing. It supports “.” as a delimiter, but treats jre11 as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga, etc.), which breaks version matching. This vulnerability was resolved in the following PR for keycloak 26.4.2-r2: https://github.com/wolfi-dev/os/pull/71234' - id: CGA-rgqm-77gj-629j aliases: