LF CLM report identified a vulnerability in the flowing dependency:

group: org.eclipse.jetty

Artifact: jetty-http

this dependency was identified in:

 Dependency org.eclipse.jetty:jetty-http:jar:9.0.6.v20130930 located at Module org.openecomp.sdc.onboarding:onboarding-be:war:1.3.0-SNAPSHOT

Dependency org.eclipse.jetty:jetty-http:jar:9.3.6.v20151106 located at Module org.openecomp.sdc.onboarding:notifications-fe:war:1.3.0-SNAPSHOT

the closest version with a fix is 9.4.11.v20180605

Note this may require updating the jetty used in the deployment.