[FP]: Keycloak OSGi Adapter falsely flagged for Keycloak Server CVEs

[mnika93]

Package URl

pkg:maven/org.keycloak/keycloak-osgi-adapter@18.0.2

CPE

cpe:2.3:a:keycloak:keycloak:18.0.2:::::::*

CVE

CVE-2022-4361, CVE-2023-6291, CVE-2023-6563, CVE-2023-6787, CVE-2024-7341

ODC Integration

{"label" => "CLI"}

ODC Version

12.2.1

Description

Multiple false positives on keycloak-osgi-adapter-18.0.2.jar. The scanner assigns CPE cpe:2.3:a:keycloak:keycloak:18.0.2 and matches all Keycloak CVEs against this JAR. However, this is a
client-side OSGi adapter library used only for OIDC token validation — it is NOT the Keycloak identity server.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.keycloak</groupId>
  <artifactId>keycloak-osgi-adapter</artifactId>
  <version>18.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8607
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-osgi-adapter@.*$</packageUrl>
    <cpe regex="true">cpe:/a:keycloak:keycloak(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27401143765

[chadlwilson]

Unfortunately we can't safely suppress this globally as keycloak versions these adapters alongside the server and there are no distinct products mapped in NVD for the client libs. If we were to suppress as suggested above we'd risk false negatives for any vulns discovered in the OSGi adapter in future.

E.g https://nvd.nist.gov/vuln/detail/cve-2018-10894 for the saml adapter which did affect the client side.

If you are ok with the risk you can suppress yourself, or just suppress the list of CVEs - as a general rule the project does not maintain lists of CVE level suppressions as it's not scalable.