LF CLM report identified a vulnerability in the flowing dependency:

group: org.codehaus.groovy

Artifact: groovy

this dependency was identified in:

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc.be:catalog-dao:jar:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc.be:catalog-model:jar:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc:asdctool:jar:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc:catalog-be:war:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc:test-apis-ci:jar:1.3.0-SNAPSHOT

Dependency org.codehaus.groovy:groovy:jar:2.4.1 located at Module org.openecomp.sdc:ui-ci:jar:1.3.0-SNAPSHOT
 

the closest version with a fix is 2.4.8

it looks like in a lot of places we use groovy all dependency which brings a lot of things that may not be needed consider replacing with groovy jar or groovy-all-minimal

reopened need to fix the issue with the indy dependency that is still showen in the clm report