Opendaylight Yangtools 6.0.1 has the following transitives:

• guava 29.0-jre (47/CAX1054600)
• j2objc 1.3 (2/CTX1020693)
• triemap 1.2.0 (3/CTX1027108)

CVE-2020-8908 has been found by VA scan for guava, version upgrade is required.

Hint: ODL yangtools 7.0.14 seems to have an updated version of guava, that is free from the mentioned cve.

Notes

1. Consider upgrading to latest (release) version of Yangtools
2. If Yangtools cannot easily be upgraded we can ask for an 'exemption'
3. Check direct using of Guava e.g. in NCM Stubs?!