The following security issues have been identified by Nexus IQ Server (tool used by LF) on 2017-12-23. See the attached report - RED Security issues.

1. sonatype-2015-0002  https://issues.apache.org/jira/browse/COLLECTIONS-580  pulled in as dependency from another dependencies dependency. xacml >  velocity  -> collections. 3.2.1 - need to upgrade to 3.2.2 or 4.1

2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 - com.eclipsesource.jaxrs : jersey-all : 2.18 pull in jackson-databind before 2.6.7.1, 2.7.9.1 and 2.8.9. Difficult to tell if com.eclipsesource.jaxrs has upgraded to use jackson-databind 2.9.x. This is a result of msb-java-sdk client being pulled in. Awaiting response from HuabingZhao as to whether he will fix it.

3. sonatype-2017-0312 - possible false positive as redhat claims jackson-databind was fixed in 2.9.x. These are a result of pulling in drools-pdp, so we will have to see if it can be fixed there.

4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957 -  com.thoughtworks.xstream. Pulled in by drools-pdp, will have to fix there.

5. sonatype-2017-0359 - upgrade httpclient via https://issues.apache.org/jira/browse/HTTPCLIENT-1803 to 4.5.3

6. sonatype-2016-0398  org.codehaus.plexus : plexus-utils : 3.0.20 -> upgrade to Plexus Utils 3.0.24 or later. These are a result of pulling in drools- pdp, will have to see if it can be fixed there.

The only dependency drools-applications pulls in directly is httpclient. The other jar files are pulled in through a dependency of a dependency and so on and on.