Small question regarding Java and maven please. With a very simple project, reproducible 100%, with just this code snippet (please feel free to copy paste) and running this simple command: (please feel free to run) After feeding this to some static analysis (Black Duck, SonarQube, Dependency-check, etc…) I am being flagged with this CVE: CVE-2017-1000487 on two jars : plexus-utils-2.0.4.jar