The “jackson” libraries that are widely used in ONAP projects have no versions without vulnerabilities, and from what anyone can tell, there will never be on. According to Security Committee, there are a number of candidate replacement packages. 

1. The projects MUST select a package without known vulnerabilities to replace the Jackson Data Processor libraries (jackson-databind, jackson-core, etc).
2. All projects MUST migrate to the Jackson Data Processor replacement unless they are inheriting the dependency from an outside project such as ODL.