Abe Fine recently submitted a patch to look for known security issues (CVEs) in third party dependencies: https://issues.apache.org/jira/browse/ZOOKEEPER-2875
This is a very useful tool - thanks Abe! It was committed to trunk and I recently cherrypicked it onto 3.4 and 3.5 code lines. I ran the check on all open branches (trunk/3.4/3.5) and it's mostly clean, although there is a recent issue identified in Jetty that we should take care of (3.5+ only) - that said the severity for us seems low (not sure if we expose that functionality). Patrick
