During the code inspections for JEP-200 I have discovered that the plugin is most likely affected by this security hardening in the Jenkins core.

• The RemoteScanResult.scan field uses class which comes from an external library without a "Jenkins-ClassFilter-Whitelisted" manifest entry
• In Jenkins 2.102+ such classes will be blacklisted unless a workaround is applied

You can find more guidelines for plugin developers in this blogpost: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers. Please let us know if you need any additional info or reviews regarding this issue.