After deploying Virtual Appliance 14.1 using Oracle 12c as an external database. A vulnerability report was ran and showed that the "invalid" database objects as a potential vulnerability. Should this value be changed to "valid" or can it be ignored?

These "invalid" objects will be formed if there is a change in the schema, automatically these will get converted into valid, whenever these objects are invoked.

These can be ignored are there won't be a problem leaving the objects as "invalid". If a decision is made to change the objects to valid, here are the following steps:

EXEC DBMS_UTILITY.compile_schema(schema => 'SCOTT');

This would make all the 'invalid' objects to 'valid'