diff --git a/.travis.yml b/.travis.yml
index f4aa88b4bdc..a0ad65bdb1f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -114,6 +114,18 @@ jobs:
         https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html
         "
 
+    - name: "security vulnerabilities"
+      install: skip
+      script: ${MVN} dependency-check:check
+      after_failure: |-
+        echo "FAILURE EXPLANATION:
+
+        The OWASP dependency check has found security vulnerabilities. Please use a newer version
+        of the dependency that does not have vulenerabilities. If the analysis has false positives,
+        they can be suppressed by adding entries to owasp-dependency-check-suppressions.xml (for more
+        information, see https://jeremylong.github.io/DependencyCheck/general/suppression.html).
+        "
+
     - &package
       name: "(openjdk8) packaging check"
       install: skip
diff --git a/benchmarks/pom.xml b/benchmarks/pom.xml
index 027f81f6737..9b85b21cf10 100644
--- a/benchmarks/pom.xml
+++ b/benchmarks/pom.xml
@@ -216,6 +216,13 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
diff --git a/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java b/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
index 6bd56cbc2a6..2a241f66de7 100644
--- a/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
+++ b/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
@@ -43,7 +43,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
 {
   private JsonParser jp;
   private ObjectCodec objectCodec;
-  private final TypeReference typeRef;
+  private final TypeReference<T> typeRef;
   private final InputStream inputStream;
   private final Closeable resourceCloser;
   private final ObjectMapper objectMapper;
@@ -55,7 +55,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
    * @param objectMapper   object mapper, used for deserialization
    */
   public JsonIterator(
-      TypeReference typeRef,
+      TypeReference<T> typeRef,
       InputStream inputStream,
       Closeable resourceCloser,
       ObjectMapper objectMapper
diff --git a/distribution/bin/check-licenses.py b/distribution/bin/check-licenses.py
index cbbcf3c1831..aad34cb5ca3 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -239,6 +239,7 @@ def build_compatible_license_names():
     compatible_licenses['The BSD 3-Clause License'] = 'BSD-3-Clause License'
     compatible_licenses['Revised BSD'] = 'BSD-3-Clause License'
     compatible_licenses['New BSD License'] = 'BSD-3-Clause License'
+    compatible_licenses['3-Clause BSD License'] = 'BSD-3-Clause License'
 
     compatible_licenses['ICU License'] = 'ICU License'
 
@@ -254,6 +255,10 @@ def build_compatible_license_names():
     compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
 
+    compatible_licenses['Eclipse Distribution License 1.0'] = 'Eclipse Distribution License 1.0'
+    compatible_licenses['Eclipse Distribution License - v 1.0'] = 'Eclipse Distribution License 1.0'
+    compatible_licenses['EDL 1.0'] = 'Eclipse Distribution License 1.0'
+
     compatible_licenses['Mozilla Public License Version 2.0'] = 'Mozilla Public License Version 2.0'
     compatible_licenses['Mozilla Public License, Version 2.0'] = 'Mozilla Public License Version 2.0'
 
diff --git a/distribution/pom.xml b/distribution/pom.xml
index 215cd8d95b1..ac8848fa7e9 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -98,6 +98,13 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
@@ -421,4 +428,4 @@
             </build>
         </profile>
     </profiles>
-</project>
\ No newline at end of file
+</project>
diff --git a/extensions-contrib/ambari-metrics-emitter/pom.xml b/extensions-contrib/ambari-metrics-emitter/pom.xml
index fb81ee14695..59639ab20f9 100644
--- a/extensions-contrib/ambari-metrics-emitter/pom.xml
+++ b/extensions-contrib/ambari-metrics-emitter/pom.xml
@@ -69,6 +69,12 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <!-- transitive dependency of org.apache.amabri:ambari-metrics-common; override version to fix security vulnerabilities -->
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-annotations</artifactId>
+      <version>${hadoop.compile.version}</version>
+    </dependency>
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
@@ -126,6 +132,22 @@
       <scope>test</scope>
     </dependency>
   </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-dependency-plugin</artifactId>
+        <configuration>
+          <ignoredUnusedDeclaredDependencies>
+            <!-- Transitive dependency but explicitly added to fix security vulnerability -->
+            <ignoredUnusedDeclaredDependency>org.apache.hadoop:hadoop-annotations</ignoredUnusedDeclaredDependency>
+          </ignoredUnusedDeclaredDependencies>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
   <repositories>
     <repository>
       <id>hortonworks</id>
diff --git a/extensions-contrib/cassandra-storage/pom.xml b/extensions-contrib/cassandra-storage/pom.xml
index 6171a008fc3..993e0057300 100644
--- a/extensions-contrib/cassandra-storage/pom.xml
+++ b/extensions-contrib/cassandra-storage/pom.xml
@@ -41,6 +41,11 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+            <!--
+              ~ This library is no longer actively developed and should be migrated to DataStax Java Driver for Apache
+              ~ Cassandra. Even the latest version of astyanax (3.10.2) has transitive dependencies with security
+              ~ vulenerabilites with CVSS scores greater than 7 (e.g., libthrift 0.9.1).
+            -->
             <groupId>com.netflix.astyanax</groupId>
             <artifactId>astyanax</artifactId>
             <version>1.0.1</version>
@@ -113,6 +118,11 @@
                     <groupId>com.github.stephenc.high-scale-lib</groupId>
                     <artifactId>high-scale-lib</artifactId>
                 </exclusion>
+                <exclusion>
+                    <!-- Excluded to remove security vulnerability -->
+                    <groupId>org.mortbay.jetty</groupId>
+                    <artifactId>jetty</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
diff --git a/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java b/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
index ca9e4c5ec18..83881c79cf9 100644
--- a/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
+++ b/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
@@ -38,7 +38,6 @@ import org.apache.druid.client.cache.ForegroundCachePopulator;
 import org.apache.druid.client.cache.MapCache;
 import org.apache.druid.client.selector.ServerSelector;
 import org.apache.druid.data.input.MapBasedRow;
-import org.apache.druid.data.input.Row;
 import org.apache.druid.guice.DruidProcessingModule;
 import org.apache.druid.guice.GuiceInjectors;
 import org.apache.druid.guice.QueryRunnerFactoryModule;
@@ -99,7 +98,7 @@ public class MovingAverageQueryTest extends InitializedNullHandlingTest
   private final RetryQueryRunnerConfig retryConfig;
   private final ServerConfig serverConfig;
 
-  private final List<Row> groupByResults = new ArrayList<>();
+  private final List<ResultRow> groupByResults = new ArrayList<>();
   private final List<Result<TimeseriesResultValue>> timeseriesResults = new ArrayList<>();
 
   private final TestConfig config;
@@ -222,9 +221,9 @@ public class MovingAverageQueryTest extends InitializedNullHandlingTest
     return MovingAverageQuery.class;
   }
 
-  private TypeReference<?> getExpectedResultType()
+  private TypeReference<List<MapBasedRow>> getExpectedResultType()
   {
-    return new TypeReference<List<Row>>()
+    return new TypeReference<List<MapBasedRow>>()
     {
     };
   }
diff --git a/extensions-contrib/thrift-extensions/pom.xml b/extensions-contrib/thrift-extensions/pom.xml
index 80c9af2145f..71d5b03ee5d 100644
--- a/extensions-contrib/thrift-extensions/pom.xml
+++ b/extensions-contrib/thrift-extensions/pom.xml
@@ -36,7 +36,7 @@
   <modelVersion>4.0.0</modelVersion>
 
   <properties>
-    <thrift.version>0.10.0</thrift.version>
+    <thrift.version>0.13.0</thrift.version>
     <elephantbird.version>4.17</elephantbird.version>
     <scrooge.version>19.10.0</scrooge.version>
   </properties>
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
index 21664d0659f..1646fc334b1 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
@@ -67,32 +67,32 @@ public class BasicAuthUtils
   public static final int KEY_LENGTH = 512;
   public static final String ALGORITHM = "PBKDF2WithHmacSHA512";
 
-  public static final TypeReference AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthenticatorUser>> AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthenticatorUser>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_USER_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerUser>> AUTHORIZER_USER_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerUser>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerGroupMapping>> AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerGroupMapping>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerRole>> AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerRole>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<UserAndRoleMap> AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<UserAndRoleMap>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<GroupMappingAndRoleMap> AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<GroupMappingAndRoleMap>()
       {
       };
diff --git a/extensions-core/kafka-extraction-namespace/pom.xml b/extensions-core/kafka-extraction-namespace/pom.xml
index 259bdb12f3e..32a1853a644 100644
--- a/extensions-core/kafka-extraction-namespace/pom.xml
+++ b/extensions-core/kafka-extraction-namespace/pom.xml
@@ -33,10 +33,6 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
-  <properties>
-    <apache.kafka.version>2.1.0</apache.kafka.version>
-  </properties>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
diff --git a/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java b/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
index bab8259dbcf..64c5022a376 100644
--- a/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
+++ b/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
@@ -471,7 +471,7 @@ public class NamespaceLookupExtractorFactoryTest
         namespaceLookupExtractorFactory.getExtractionNamespace().getClass()
     );
     Assert.assertFalse(namespaceLookupExtractorFactory.replaces(mapper.readValue(str, LookupExtractorFactory.class)));
-    final Map<String, Object> map = new HashMap<>(mapper.<Map<String, Object>>readValue(
+    final Map<String, Object> map = new HashMap<>(mapper.readValue(
         str,
         JacksonUtils.TYPE_REFERENCE_MAP_STRING_OBJECT
     ));
diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml
index 97f61728766..c29a82a56c0 100644
--- a/extensions-core/protobuf-extensions/pom.xml
+++ b/extensions-core/protobuf-extensions/pom.xml
@@ -35,10 +35,6 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
-  <properties>
-    <protobuf.version>3.2.0</protobuf.version>
-  </properties>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
@@ -111,7 +107,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-shade-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.2.1</version>
         <configuration>
           <createDependencyReducedPom>false</createDependencyReducedPom>
           <relocations>
diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java b/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
index 6d33179c27a..e1f3861531e 100644
--- a/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
+++ b/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
@@ -1079,7 +1079,7 @@ public abstract class SeekableStreamIndexTaskRunner<PartitionIdType, SequenceOff
     final File sequencesPersistFile = getSequencesPersistFile(toolbox);
     if (sequencesPersistFile.exists()) {
       sequences = new CopyOnWriteArrayList<>(
-          toolbox.getJsonMapper().<List<SequenceMetadata<PartitionIdType, SequenceOffsetType>>>readValue(
+          toolbox.getJsonMapper().readValue(
               sequencesPersistFile,
               getSequenceMetadataTypeReference()
           )
diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml
index 79e8c2c8c65..7822af33b3e 100644
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -31,10 +31,6 @@
         <version>0.17.0-incubating-SNAPSHOT</version>
     </parent>
 
-    <properties>
-        <apache.kafka.version>2.1.0</apache.kafka.version>
-    </properties>
-
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>
@@ -252,6 +248,13 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java b/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
index 074c77b11db..71ca9f83a4d 100644
--- a/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
+++ b/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
@@ -41,7 +41,6 @@ import org.jboss.netty.handler.codec.http.HttpResponseStatus;
 import org.joda.time.Interval;
 
 import java.net.URL;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
@@ -96,7 +95,7 @@ public class CoordinatorResourceTestClient
   // return a list of the segment dates for the specified datasource
   public List<String> getMetadataSegments(final String dataSource)
   {
-    ArrayList<String> segments;
+    List<String> segments;
     try {
       StatusResponseHolder response = makeRequest(HttpMethod.GET, getMetadataSegmentsURL(dataSource));
 
@@ -115,7 +114,7 @@ public class CoordinatorResourceTestClient
   // return a list of the segment dates for the specified datasource
   public List<String> getSegmentIntervals(final String dataSource)
   {
-    ArrayList<String> segments;
+    List<String> segments;
     try {
       StatusResponseHolder response = makeRequest(HttpMethod.GET, getIntervalsURL(dataSource));
 
diff --git a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
index e074b2f64c1..cb675bf5b4c 100644
--- a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
+++ b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
@@ -74,12 +74,12 @@ public class ITBasicAuthConfigurationTest
 {
   private static final Logger LOG = new Logger(ITBasicAuthConfigurationTest.class);
 
-  private static final TypeReference LOAD_STATUS_TYPE_REFERENCE =
+  private static final TypeReference<Map<String, Boolean>> LOAD_STATUS_TYPE_REFERENCE =
       new TypeReference<Map<String, Boolean>>()
       {
       };
 
-  private static final TypeReference SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
+  private static final TypeReference<List<Map<String, Object>>> SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
       new TypeReference<List<Map<String, Object>>>()
       {
       };
diff --git a/licenses.yaml b/licenses.yaml
index ecb864c3515..f375dce96fd 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -196,7 +196,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.9.10
+version: 2.10.1
 libraries:
   - com.fasterxml.jackson.core: jackson-annotations
   - com.fasterxml.jackson.core: jackson-core
@@ -233,6 +233,30 @@ notice: |
 
 ---
 
+name: JavaBeans Activation Framework API JAR
+license_category: binary
+module: java-core
+license_name: Eclipse Distribution License 1.0
+version: 1.2.1
+copyright: Oracle and/or its affiliates.
+license_file_path: licenses/bin/jakarta.EDL1
+libraries:
+  - jakarta.activation: jakarta.activation-api
+
+---
+
+name: Jakarta XML Bind API
+license_category: binary
+module: java-core
+license_name: Eclipse Distribution License 1.0
+version: 2.3.2
+copyright: Oracle and/or its affiliates.
+license_file_path: licenses/bin/jakarta.EDL1
+libraries:
+  - jakarta.xml.bind: jakarta.xml.bind-api
+
+---
+
 name: Caffeine
 license_category: binary
 module: java-core
@@ -2744,11 +2768,21 @@ license_name: Apache License version 2.0
 version: 1.0.0-M20
 libraries:
   - org.apache.directory.api: api-asn1-api
+
+---
+
+name: Apache Directory
+license_category: binary
+module: hadoop-client
+license_name: Apache License version 2.0
+version: 1.0.3
+libraries:
   - org.apache.directory.api: api-util
 notices:
   - api-util: |
       Apache Directory LDAP API Utilities
       Copyright 2003-2013 The Apache Software Foundation
+
 ---
 
 name: Apache Directory Server
@@ -3161,7 +3195,7 @@ name: Gson
 license_category: binary
 module: extensions/protobuf-extensions
 license_name: Apache License version 2.0
-version: 2.7
+version: 2.8.6
 libraries:
   - com.google.code.gson: gson
 
@@ -3279,7 +3313,7 @@ name: Protocol Buffers
 license_category: binary
 module: java-core
 license_name: BSD-3-Clause License
-version: 3.1.0
+version: 3.11.0
 copyright: Google, Inc.
 license_file_path:
   - licenses/bin/protobuf-java.BSD3
@@ -3444,7 +3478,7 @@ name: Protocol Buffers
 license_category: binary
 module: extensions/druid-protobuf-extensions
 license_name: BSD-3-Clause License
-version: 3.2.0
+version: 3.11.0
 copyright: Google, Inc.
 license_file_path: licenses/bin/protobuf-java.BSD3
 libraries:
@@ -3932,7 +3966,7 @@ name: Apache Kafka
 license_category: binary
 module: extensions/kafka-extraction-namespace
 license_name: Apache License version 2.0
-version: 2.1.0
+version: 2.1.1
 libraries:
   - org.apache.kafka: kafka_2.12
   - org.apache.kafka: kafka-clients
diff --git a/licenses/bin/jakarta.EDL1 b/licenses/bin/jakarta.EDL1
new file mode 100644
index 00000000000..8e44780c856
--- /dev/null
+++ b/licenses/bin/jakarta.EDL1
@@ -0,0 +1,13 @@
+Eclipse Distribution License - v 1.0
+
+Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors.
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+    * Neither the name of the Eclipse Foundation, Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
new file mode 100644
index 00000000000..cf88f395744
--- /dev/null
+++ b/owasp-dependency-check-suppressions.xml
@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
+    <notes><![CDATA[
+   file name: org.apache.druid:druid-indexing-hadoop:0.17.0-incubating-SNAPSHOT
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
+    <cve>CVE-2012-4449</cve>
+  </suppress>
+  <suppress>
+    <!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
+    <notes><![CDATA[
+   file name: druid-indexing-hadoop-0.17.0-incubating-SNAPSHOT.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
+    <cve>CVE-2017-3162</cve>
+  </suppress>
+  <suppress>
+    <!-- druid-processing.jar is mistaken for org.processing:processing -->
+    <notes><![CDATA[
+   file name: org.apache.druid:druid-processing:0.17.0-incubating-SNAPSHOT
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl>
+    <cve>CVE-2018-1000840</cve>
+  </suppress>
+  <suppress>
+    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
+    <notes><![CDATA[
+   file name: openstack-swift-1.9.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
+    <cve>CVE-2016-0737</cve>
+    <cve>CVE-2016-0738</cve>
+    <cve>CVE-2017-16613</cve>
+  </suppress>
+  <suppress>
+    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
+    <notes><![CDATA[
+   file name: openstack-keystone-1.9.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
+    <cve>CVE-2015-7546</cve>
+  </suppress>
+
+  <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
+  <suppress>
+    <!--
+      ~ TODO: Fix by updating hibernate-validator.
+
+      ~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath:
+      ~ https://developer.jboss.org/wiki/HibernateValidatorMigrationGuide#jive_content_id_531Final
+      ~
+      ~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail:
+      ~
+      ~   Error: com.google.inject.CreationException: Unable to create injector, see the following errors:
+      ~
+      ~   1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
+      ~     at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
+      ~
+      ~   2) No implementation for javax.validation.Validator was bound.
+      ~     at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
+      ~
+      ~   2 errors
+      ~       at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470)
+      ~       at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155)
+      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
+      ~       at com.google.inject.Guice.createInjector(Guice.java:99)
+      ~       at com.google.inject.Guice.createInjector(Guice.java:73)
+      ~       at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(GuiceInjectors.java:56)
+      ~       at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(HadoopDruidIndexerConfig.java:102)
+      ~       at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(HadoopDruidIndexerMapper.java:53)
+      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(DetermineHashedPartitionsJob.java:279)
+      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.run(DetermineHashedPartitionsJob.java:334)
+      ~       at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:787)
+      ~       at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
+      ~       at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:175)
+      ~       at java.security.AccessController.doPrivileged(Native Method)
+      ~       at javax.security.auth.Subject.doAs(Subject.java:422)
+      ~       at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)
+      ~       at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:169)
+      ~   Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:102)
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(ResourceBundleMessageInterpolator.java:45)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(ConfigurationImpl.java:423)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(ConfigurationImpl.java:575)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(ConfigurationImpl.java:364)
+      ~       at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(ValidatorFactoryImpl.java:148)
+      ~       at org.hibernate.validator.HibernateValidator.buildValidatorFactory(HibernateValidator.java:38)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(ConfigurationImpl.java:331)
+      ~       at javax.validation.Validation.buildDefaultValidatorFactory(Validation.java:110)
+      ~       at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
+      ~       at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
+      ~       at com.google.inject.spi.Elements.getElements(Elements.java:110)
+      ~       at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
+      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
+      ~       ... 14 more
+      ~   Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory;
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:98)
+      ~       ... 27 more
+      -->
+    <notes><![CDATA[
+   file name: hibernate-validator-5.2.5.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
+    <cve>CVE-2017-7536</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
+    <notes><![CDATA[
+   file name: jackson-mapper-asl-1.9.13.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+    <cve>CVE-2017-7525</cve>
+    <cve>CVE-2017-15095</cve>
+    <cve>CVE-2017-17485</cve>
+    <cve>CVE-2018-5968</cve>
+    <cve>CVE-2018-7489</cve>
+    <cve>CVE-2018-14718</cve>
+    <cve>CVE-2019-10172</cve>
+    <cve>CVE-2019-14540</cve>
+    <cve>CVE-2019-16335</cve>
+    <cve>CVE-2019-17267</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
+    <notes><![CDATA[
+   file name: netty-3.10.6.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@.*$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by upgrading hadoop-auth version -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-4.41.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@.*$</packageUrl>
+    <cve>CVE-2019-17195</cve>
+  </suppress>
+  <suppress>
+      <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->
+      <notes><![CDATA[
+   file name: libthrift-0.6.1.jar
+   ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+      <cve>CVE-2016-5397</cve>
+      <cve>CVE-2018-1320</cve>
+      <cve>CVE-2019-0205</cve>
+  </suppress>
+  <suppress>
+    <!--
+      ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
+      ~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
+      -->
+    <notes><![CDATA[
+   file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cve>CVE-2017-7525</cve>
+    <cve>CVE-2017-15095</cve>
+    <cve>CVE-2017-17485</cve>
+    <cve>CVE-2018-5968</cve>
+    <cve>CVE-2018-7489</cve>
+    <cve>CVE-2018-11307</cve>
+    <cve>CVE-2018-14718</cve>
+    <cve>CVE-2018-14719</cve>
+    <cve>CVE-2018-14720</cve>
+    <cve>CVE-2018-14721</cve>
+    <cve>CVE-2018-19360</cve>
+    <cve>CVE-2018-19361</cve>
+    <cve>CVE-2018-19362</cve>
+    <cve>CVE-2019-14540</cve>
+    <cve>CVE-2019-16335</cve>
+    <cve>CVE-2019-16942</cve>
+    <cve>CVE-2019-16943</cve>
+    <cve>CVE-2019-17267</cve>
+    <cve>CVE-2019-17531</cve>
+  </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
index d3cacfb1313..6569e30fa12 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,6 +78,7 @@
         <aether.version>0.9.0.M2</aether.version>
         <apache.curator.version>4.1.0</apache.curator.version>
         <apache.curator.test.version>2.12.0</apache.curator.test.version>
+        <apache.kafka.version>2.1.1</apache.kafka.version>
         <avatica.version>1.15.0</avatica.version>
         <avro.version>1.9.1</avro.version>
         <calcite.version>1.21.0</calcite.version>
@@ -88,7 +89,7 @@
         <hamcrest.version>1.3</hamcrest.version>
         <jetty.version>9.4.12.v20180830</jetty.version>
         <jersey.version>1.19.3</jersey.version>
-        <jackson.version>2.9.10</jackson.version>
+        <jackson.version>2.10.1</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
         <log4j.version>2.8.2</log4j.version>
         <netty3.version>3.10.6.Final</netty3.version>
@@ -96,6 +97,7 @@
         <netty4.version>4.1.42.Final</netty4.version>
         <node.version>v10.14.2</node.version>
         <npm.version>6.5.0</npm.version>
+        <protobuf.version>3.11.0</protobuf.version>
         <slf4j.version>1.7.12</slf4j.version>
         <!-- If compiling with different hadoop version also modify default hadoop coordinates in TaskConfig.java -->
         <hadoop.compile.version>2.8.5</hadoop.compile.version>
@@ -758,7 +760,7 @@
             <dependency>
                 <groupId>com.google.protobuf</groupId>
                 <artifactId>protobuf-java</artifactId>
-                <version>3.1.0</version>
+                <version>${protobuf.version}</version>
             </dependency>
             <dependency>
                 <groupId>io.tesla.aether</groupId>
@@ -988,7 +990,7 @@
             <dependency>
                 <groupId>org.apache.directory.api</groupId>
                 <artifactId>api-util</artifactId>
-                <version>1.0.0-M20</version>
+                <version>1.0.3</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.calcite</groupId>
@@ -1478,6 +1480,23 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>5.2.4</version>
+                <configuration>
+                    <cveValidForHours>24</cveValidForHours>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <skipProvidedScope>true</skipProvidedScope>
+                    <skipSystemScope>true</skipSystemScope>  <!-- avoid error when processing jdk.tools:jdk.tools:jar:1.8:system -->
+                    <suppressionFile>owasp-dependency-check-suppressions.xml</suppressionFile>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>none</phase>  <!-- TODO: Consider enabling so part of dev flow instead of just CI -->
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
         <pluginManagement>
             <plugins>
diff --git a/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java b/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
index acdbbd0f2c1..eb9e9916cac 100644
--- a/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
+++ b/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
@@ -59,10 +59,10 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
 
   private final SQLMetadataConnector connector;
   private final ObjectMapper jsonMapper;
-  private final TypeReference entryType;
-  private final TypeReference statusType;
-  private final TypeReference logType;
-  private final TypeReference lockType;
+  private final TypeReference<EntryType> entryType;
+  private final TypeReference<StatusType> statusType;
+  private final TypeReference<LogType> logType;
+  private final TypeReference<LockType> lockType;
 
   private final String entryTypeName;
   private final String entryTable;
@@ -107,7 +107,7 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
     return jsonMapper;
   }
 
-  protected TypeReference getStatusType()
+  protected TypeReference<StatusType> getStatusType()
   {
     return statusType;
   }
@@ -127,7 +127,7 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
     return entryTypeName;
   }
 
-  public TypeReference getEntryType()
+  public TypeReference<EntryType> getEntryType()
   {
     return entryType;
   }
diff --git a/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java b/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
index ac1636c1e64..0a7407fa52f 100644
--- a/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
+++ b/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
@@ -185,7 +185,7 @@ public class ResultLevelCachingQueryRunner<T> implements QueryRunner<T>
       log.error("Cached result set is null");
     }
     final Function<Object, T> pullFromCacheFunction = strategy.pullFromCache(true);
-    final TypeReference<Object> cacheObjectClazz = strategy.getCacheObjectClazz();
+    final TypeReference<T> cacheObjectClazz = strategy.getCacheObjectClazz();
     //Skip the resultsetID and its length bytes
     Sequence<T> cachedSequence = Sequences.simple(() -> {
       try {
diff --git a/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java b/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
index eea87118f9e..0d297697ee2 100644
--- a/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
+++ b/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
@@ -67,13 +67,15 @@ import java.util.concurrent.atomic.AtomicLong;
  */
 public class HttpLoadQueuePeon extends LoadQueuePeon
 {
-  public static final TypeReference REQUEST_ENTITY_TYPE_REF = new TypeReference<List<DataSegmentChangeRequest>>()
-  {
-  };
+  public static final TypeReference<List<DataSegmentChangeRequest>> REQUEST_ENTITY_TYPE_REF =
+      new TypeReference<List<DataSegmentChangeRequest>>()
+      {
+      };
 
-  public static final TypeReference RESPONSE_ENTITY_TYPE_REF = new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
-  {
-  };
+  public static final TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>> RESPONSE_ENTITY_TYPE_REF =
+      new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
+      {
+      };
 
   private static final EmittingLogger log = new EmittingLogger(HttpLoadQueuePeon.class);
 
diff --git a/services/pom.xml b/services/pom.xml
index fb927038fa1..15301f10343 100644
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -226,6 +226,22 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <configuration>
+                    <!--
+                      ~ The analysis gets confused between javax.xml.bind:jaxb-api and jakarta.xml.bind:jakarta.xml.bind-api.
+                      ~ The former is a direct dependency, and the latter is a transitive dependency of jackson 2.10+.
+                      -->
+                    <usedDependencies>
+                        <dependency>javax.xml.bind:jaxb-api</dependency>
+                    </usedDependencies>
+                    <ignoredUsedUndeclaredDependencies>
+                        <ignoredUsedUndeclaredDependency>jakarta.xml.bind:jakarta.xml.bind-api</ignoredUsedUndeclaredDependency>
+                    </ignoredUsedUndeclaredDependencies>
+                </configuration>
+            </plugin>
         </plugins>
     </build>