CVE-2018-10237 has been raised against guava v20.0.

Although it's not a direct dependency, SJC transitively depends on guava v20.0 via swagger-core v1.5.16.