done as part of 33.0.0

This issue is back again as a vulnerability in the GitHub scans since yesterday: https://github.com/folio-org/raml-module-builder/network/alert/pom.xml/com.google.guava:guava/open

This is still an issue because RMB's domain-models-runtime ships with com.google.guava:guava:jar:19.0 and the affected files:
com/google/common/util/concurrent/AtomicDoubleArray.class
com/google/common/collect/CompoundOrdering.class

This is reported by https://www.owasp.org/index.php/OWASP_Dependency_Check

This is the dependency tree produced by mvn dependency:tree -Dverbose -Dincludes=com.google.guava:

Adam is correct that domain-models-runtime ships a bunch of libraries that are not needed for most of the RMB using modules.

Our domain-models-runtime code uses Guava (com.google.*) but this can easily replaced by JDK 8 methods or by Apache Libraries (Commons, IO, ...) that we already include and use.

This is no longer showing up as a vulnerability in the GitHub scans.

Two observations: why are are having drools around? Is it even in use?
And secondly, we should not bundle the code generator with the runtime