Hi, the team i work with have recently put DataHub through a container scanning tool. The report detailed a lot of CVE for DataHub including both Critical and High. Some of these CVE go back to 2017 with the Jackson-Databind elements but also include critical CVE related to Log4J and the Spring Framework. How can we look to treat some of these? If the vulnerabilities have been considered before, is there any assessment of those CVE and why they are deemed not critical to DataHub in the context of how it is deployed? Thank you. Chris.

Can you please raise an issue at https://github.com/datahub-project/datahub/issues with details of your findings. I can see someone else had raised one for jackson-databind recently https://github.com/datahub-project/datahub/issues/4750 but they did not mention a lot of details. Maybe you can add your findings there?