The json-smart lib is a transitive dep of a test dep, nimbus-jose-jwt. The transitive dep version has a CVE filed against it – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31684. That's being flagged up by security scanners of the WF code.

Either:

1) Move nimbus-jose-jwt to a later version whose transitive dep is on a fixed version of json-smart
2) Exclude the transitive dep if we don't need it
3) Control the transitive dep version in dependency management and upgrade it.