From time to time I see the Security framework of XStream not initialized, XStream is probably vulnerable. warning in the Tomcat log. Not sure whether it needs to be addressed. For sure there is the xstream-1.4.12.jar file under the opengrok-web module.