Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Plexus utils makes it into your output jar which means when people depend on Sendinblue it will trigger any automated security monitoring such as AWS Inspector.
It doesn't really make sense to me that a maven plugin you seem to be using to sign your artifacts is also shipped out inside those artifacts, but I'm not familiar with Maven so maybe that's normal.
org.apache.maven.plugins:maven-gpg-plugin
should be updated because 1.5 depends on a vulnerable version oforg.codehaus.plexus:plexus-utils
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487Plexus utils makes it into your output jar which means when people depend on Sendinblue it will trigger any automated security monitoring such as AWS Inspector.
It doesn't really make sense to me that a maven plugin you seem to be using to sign your artifacts is also shipped out inside those artifacts, but I'm not familiar with Maven so maybe that's normal.