Severe security and license analysis issuess in jackson-databind and jackson-dataformat-xml on Nexus IQ server CLM Job

Several projects (originally raised in private email among committers of genius, then seen by me on infrautils, now raised by An Ho on https://lists.opendaylight.org/pipermail/release/2017-August/011985.html for daexim) have hit a Severe License analysis issues in jackson-dataformat-xml on Nexus IQ server CLM Job, seen e.g. here: https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35, due to what it thinks is a "Apache-2.0, LGPL-2.1, No Source License" on component com.fasterxml.jackson.dataformat : jackson-dataformat-xml : 2.3.2.

Stephen Kitt (skitt) in private email dixit, quote: "Likewise, there’s a security issue with Jackson (again, I haven’t checked in detail), and we pull that in via AAA and/or odlparent, so it’s not Genius’s concern either."

Let's track looking into what going on there in this bug.

I'm not sure which project needs to do something about this - let's start with AAA? (Folks from AAA, of course, please move this bug to another project appropriately, if jackson-dataformat-xml isn't inherited by all this other projects from you?)