# Snyk (https://snyk.io) policy file — managed by Lumen
# Ignores documented false positives and accepted risks.
version: v1.25.0
language-settings:
  java:
    countUntriaged: false

ignore:
  # CSRF disabled on stateless JWT API chain — intentional and correct per OWASP:
  # "If your application does not use cookies for authentication, CSRF is not a risk."
  # The API security filter chain (Order 1) uses Authorization: Bearer tokens only.
  # The portal filter chain (Order 2) correctly enables CSRF via CookieCsrfTokenRepository.
  SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-CSRF:
    - 'cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java':
        reason: >-
          Stateless JWT API — CSRF not applicable. Browser never auto-sends
          Bearer tokens. Portal chain has CSRF enabled via CookieCsrfTokenRepository.
        expires: 2027-06-19T00:00:00.000Z
        created: 2026-06-19T07:00:00.000Z
