Running a code scan on APM 10.7.0 SP3 finds vulnerabilities and flags mainly on jackson-databind as the version is lower than 2.9.8
The vulnerabilities are found within the "hotfix" folder
They contain the previous problematic jar files.
In this scenario, <EM folder>/hotfix/10.7.0-HF29/ backup is created while applying the patch.
CA APM 10.7 SP3
Per engineering and as a best practice, the folders <EM/WV/WS_HOME>/hotfix and <EM_HOME>/backup have to be deleted before the scan.