LF CLM report identified a vulnerability in the flowing dependency:

group: org.codehaus.groovy

Artifact: groovy

this dependency was identified in:

Dependency org.codehaus.groovy:groovy:jar:2.4.7 located at Module org.openecomp.sdc.onboarding:notifications-fe:war:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.7 located at Module org.openecomp.sdc.onboarding:onboarding-be:war:1.3.0-SNAPSHOT
 

the closest version with a fix is 2.4.8

it looks like in a lot of places we use groovy all dependency which brings a lot of things that may not be needed consider replacing with groovy jar or groovy-all-minimale