There are several critical and severe CVEs are coming from CA Wily for the following jars: 

 Derby: 

 CVE-2015-1832, 

CVE-2010-2232, 

CVE-2009-4269 Jackson-mapper-asl: 

CVE-2017-7525 HttpClient: SONATYPE-2017-0359, SONATYPE-2007-0004, 

CVE-2012-5783, 

CVE-2012-6153 Xerces 

CVE-2012-0881, 

CVE-2013-4002, SONATYPE-2017-0348 Guava 

CVE-2018-10237 Jetty: 

CVE-2018-12536 commons-compress 

CVE-2018-11771, SONATYPE-2018-0293 jsch 

CVE-2016-5725 I would not feel comfortable waiving these 

CVEs¦ Also we are getting several critical 

CVEs for IronPython.jar through the 6db449585c248c8616482e9b7a179c81b355203102a1db58633139080eb96e79 Base Image Layer for JDK 8: 

CVE-2018-18074, 

CVE-2018-20060, SONATYPE-2014-0148, SONATYPE-2012-0071

Release : 10.7

Component : APM Agents

Engineering has identified and provided a fix.

Engineering has fixed and provided a Hot Fix APM10.7.0HF43  APM 10.7.0.235 build-994301.

All the vulnerabilities except Guava and commons -compress have been addressed. Here is the explanation to mark these two as false positives.

Guava - The reported vulnerability is for serialization, but we do not use Guava for Seraliization/DeSerialization

Commons-compress - Our usage of commons-compress only unzips archives that are part of our product. We do not unzip any archives that are received from outside sources.

Please open a support case to obtain APM10.7.0HF43