Hello, I am hoping you could help me with our vulnerability remediation process. We have several development teams using Apache Beam in their projects. When performing our Software Composition Analysis (Third-Party Software) scan, projects utilizing Apache Beam have an incredible number of CVEs, Jackson Data Mapper being an extreme outlier.
I Jackson Data Mapper is a transitive dependency via Avro but I am wondering. Has the Apache Beam team reviewed these CVEs and found them NOT EXPLOITABLE as implemented. Or if exploitable implemented mitigations pre/post usage of the library? Thank you for your time, Josh Joshua Brule | Sr Information Security Engineer
