Hello.
I figured out what xgboost package does not pass Dependency Tracker. There is indicated CWE-120 (Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)).
I can not point the exact code snippet with vulnerability so far.
Is that known issue?