SpringBoot CVE-2022-31569 failing on jakarta dependencies

Starting from the last days,

CVE-2022-31569 is now failing on these dependencies:

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] jakarta.annotation-api-1.3.5.jar: CVE-2022-31569(9.3)
[ERROR] jakarta.transaction-api-1.3.3.jar: CVE-2022-31569(9.3)

These jakarta artifacts are coming from the following Spring dependencies:

|  +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
|  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile

+- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.7.1:compile
|  +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile 

Comment From: bclozel

Are you sure this is the right CVE reference? This one looks related to Python and Flask, nothing Java related. Maybe you should reach out to your tools vendor about this being a false positive? I don't think we can do anything about this here.

Comment From: dmitry-weirdo

Hallo @bclozel. Yes, seems to be a known false positive from https://github.com/jeremylong/DependencyCheck/issues/4671. Sorry for bothering, but let this issue stay non-hard-deleted if someone searches from this side.

Comment From: bclozel

Thanks for finding that out. I’ve pinned this issue on our tracker for now to avoid duplicates.