The following security issues have been identified by Nexus IQ Server (tool used by LF) on 2017-12-23. See the attached report - RED Security issues.

1. sonatype-2017-0312 - com.fasterxml.jackson.core : jackson-databind : 2.9.1 --> possible false positive but we can fix this anyway. All older versions are omitted in compilation.

 upgrading jersey-media-json-jackson v2.26 (from 2.25.1) does nothing as it uses old jackson-databind 2.8.* - but they are ommitted. This results in compilation errors for JUnit tests.

 upgrading io.swagger:swagger-jersey2-jaxrs:jar:1.5.18 (from 1.5.16) does include jackson-databind 2.9.3

2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957 - com.thoughtworks.xstream : xstream : 1.4.9 --> Originates from including dependency org.kie:kie-ci:jar:6.5.0.Final:compile, which includes several dependencies that ultimately include plexus-utils. Upgrading to a 7.x version would be too dangerous to do and unclear whether any of the dependencies internal to it would have upgraded plexus-utils at all.

3. sonatype-2017-0359 - org.apache.httpcomponents : httpclient : 4.5.2 --> upgrade to 4.5.3 or above

4. sonatype-2016-0398 - org.codehaus.plexus : plexus-utils : 3.0.20 --> Originates from including dependency org.kie:kie-ci:jar:6.5.0.Final:compile, which includes several dependencies that ultimately include plexus-utils. Upgrading to a 7.x version would be too dangerous to do and unclear whether any of the dependencies internal to it would have upgraded plexus-utils at all.