Hello my people! We run an OWASP dependency analyzer. According to this analyzer, the KSP plugin and the room-ksp has a vulnerability:

room-compiler-processing-2.4.3.jar (pkg:maven/androidx.room/room-compiler-processing@2.4.3, cpe:2.3:a:processing:processing:2.4.3:*:*:*:*:*:*:*) : CVE-2018-1000840
symbol-processing-1.7.10-1.0.6.jar (pkg:maven/com.google.devtools.ksp/symbol-processing@1.7.10-1.0.6, cpe:2.3:a:processing:processing:1.7.10.1:*:*:*:*:*:*:*) : CVE-2018-1000840
symbol-processing-api-1.7.10-1.0.6.jar (pkg:maven/com.google.devtools.ksp/symbol-processing-api@1.7.10-1.0.6, cpe:2.3:a:processing:processing:1.7.10.1:*:*:*:*:*:*:*) : CVE-2018-1000840

Am I correct that we can safely ignore this? I assume the generated code will not be affected by this. (we are building an Android application so we care mostly about runtime safety)

We are not using processing in our code, might be a transitive dependency. And yes generated code won’t be affected by this.