All drools compiler versions after 7.21.0.Final are using xstream version 1.14.11.1. We are using anchore engine for vulnerability scan and it is giving HIGH vulnerability CVE-2013-7285 - https://nvd.nist.gov/vuln/detail/CVE-2013-7285. There is a workaround to implement the security framework. However we are using kie-ci jar which has the drools-compiler dependency. So to resolve this , we have to implement the workaround in drools-compiler source code and build the jar and use it. But this solution is not maintainable.

Is there any plans to implement the security framework in next version of drools-compiler ?