Nailed it! I tried to write a clear message about the collaboration we did at How to fix AppInspect check_for_vulnerable_javascript_library_usage from Add-on Builder content 

One thing I forgot to note.  This appears to be fixed in Add-on Builder version 4.1.0 but you will need to perform the export/import process if you upgrade the app in-place.

Upgrading the add-on builder and exporting the add-on from there fixed the issue.

Thanks for your response. Initially I got following error:

{
                                    "result": "warning",
                                    "message": "3rd party CORS request may execute\nparseHTML() executes scripts in event handlers\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nreDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/app7hugi7qy/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }

This is related to upgrade of JQuery version to 3.5.0.

Since I had minified javascript (path - appserver/static/js/build/common.js), I couldn't find jquery version import anywhere but I found "contrib/jquery-2.1.0" in this file and replaced it with "contrib/jquery-3.5.0".

After running AppInspect on the updated app, getting following warning:

{
                    "description": "Checks related to JavaScript usage.",
                    "name": "check_javascript_usage",
                    "checks": [
                        {
                            "description": "Detect usage of JavaScript libraries with known vulnerabilities.",
                            "name": "check_for_vulnerable_javascript_library_usage",
                            "tags": [
                                "cloud",
                                "future",
                                "jquery",
                                "security"
                            ],
                            "result": "warning",
                            "messages": [
                                {
                                    "result": "warning",
                                    "message": "reDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/appdlobc8sm/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }
                            ]
                        }
                    ]
                }

If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.

As you can imagine, security related things are hard to get info on. Nonetheless, it was pointed out to me that this is a warning, not a failure, and as such it shouldn't be an impediment to building the app. I'll continue to see if I can get more info on this.

Cross posting with How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?which sounds like the same question. I'm also hunting for some SMEs who can help.

@diogofgm Do you have a solution for this issue? Our add-on is created by the add-on builder and we get an issue with common.js and Splunk Cloud Support colleagues have rejected the add-on. What should be the next step?