CVE vulnerabilities on Jfreechart

[Smith334]

Hi there I noticed there are a few people complaining about these CVE tests on Jfreechart.

I see that JFreeChart was recently updated to version 1.5.5 to fix/note some supposed security vulnerabilities. However, we noticed that there are still a few showing up.

https://nvd.nist.gov/vuln/detail/CVE-2023-52070 https://nvd.nist.gov/vuln/detail/CVE-2024-22949 (you mentioned was not necessary) https://nvd.nist.gov/vuln/detail/CVE-2024-23076 (you mentioned was not necessary)

13:27:58 Detected 1 vulnerable components:13:27:58 org.jfree:jfreechart:jar:1.5.5:compile; https://ossindex.sonatype.org/component/pkg:maven/org.jfree/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.113:27:58 * [CVE-2023-52070] CWE-129: Improper Validation of Array Index (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-52070?component-type=maven&component-name=org.jfree%2Fjfreechart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.113:27:58 * [CVE-2024-22949] CWE-476: NULL Pointer Dereference (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-22949?component-type=maven&component-name=org.jfree%2Fjfreechart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.113:27:58 * [CVE-2024-23076] CWE-476: NULL Pointer Dereference (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-23076?component-type=maven&component-name=org.jfree%2Fjfreechart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

I find it strange that these so-called security vulnerabilities are being brought up for possible null point exceptions.

For interest are any workarounds to circumvent this issue with these scans, or are we at the mercy of them? Other than disputing them obviously.