The ABAP plugin bundles two dependencies with vulnerabilities referenced in NVD:
- Guava suffers from CVE-2018-10237 in Java/GWT serialisations
- commons-io has a Path Traversal vulnerability (see https://issues.apache.org/jira/browse/IO-556).
These vulnerabilities are not exploitable but raise false-positives in security audits. Upgrading to Guava 24.1.1+ and commons-io 2.8.0+ will kill the noise.