Currently commons-digester 2.1 is triggering some security alerts on scanner. 

Digester is not used in core but exposed to some plugins which use it.

With the help of https://github.com/jenkins-infra/usage-in-plugins    we found the class 

• https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
• https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
• https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
• https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
• https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used only used in a test class and using only the wrapper so no impact) (PR: 
  https://github.com/jenkinsci/cvs-plugin/pull/55)

• https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact) (PR: https://github.com/jenkinsci/dimensionsscm-plugin/pull/15)
• https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
• https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
• https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change) (PR 
  https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2)

• https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change) (PR 
  https://github.com/jenkinsci/plasticscm-plugin/pull/40 )

• https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change) (PR https://github.com/jenkinsci/subversion-plugin/pull/254 )
• https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago) (PR https://github.com/jenkinsci/synergy_scm-plugin/pull/17 )
• https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact) (PR 
  https://github.com/jenkinsci/teamconcert-plugin/pull/20 )

• https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change) (PR 
  https://github.com/jenkinsci/zos-connector-plugin/pull/12 )

A draft PR has been opened here https://github.com/jenkinsci/jenkins/pull/5320  for discussion.

I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)