Open
Description
Description of the false positive
If a URI
or URL
is created from a File
it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket request.
new File("untrusted-user-input.txt").toURI().toURL().openStream()
Code samples or links to source code
URL to the alert on GitHub code scanning (optional)
https://github.com/Chainguard-Wolfi-Bites-Back/keycloak__keycloak/security/code-scanning/18
Reasonable Fix
It should be simple to add any type conversion to a File
as a simple sanitizer.