We should upgrade jjwt to 0.9.0.
There are multiple vulnerabilities in jjwt dependencies :
- CVE-2017-5929 for logback (since we provide a newer version SonarQube should not be affected)
- CVE-2016-1000341 for BouncyCastle (https://github.com/jwtk/jjwt/issues/220)
- CVE-2017-7525 for Jackson Deserialization (https://bugzilla.redhat.com/show_bug.cgi?id=1473260 , https://github.com/FasterXML/jackson-databind/issues/1599 )