Vulnerabilities in pmd-bin-6.50.0 version

[DivyaSrivas]

We are using 6.50.0 version of pmd-bin , we scanned our files in Veracode . In the report we got there was several vulnerabilities issues in many of the jar versions .
We found that even in the latest version of pmd-bin these jars have older version which have vulnerabilities issues with severity of high and medium.
Could you please suggest how to resolve these vulnerabilities issues because we cannot directly update these from our end.
version we are using :-
jcommander-1.48.jar
protobuf-java-3.16.1.jar

version Suggested :-
jcommander-2.0.0-RC1.jar
protobuf-java-3.21.7.jar

[adangel]

protobuf-java is updated to 3.16.3 for the next version (PMD 6.51.0) -> f9ccab3

For jcommander, there is no version that is still compatible with Java 7 (Note: PMD 6 is still working with Java 7). Hence we didn't update it. The latest version seems to be 1.82 (https://repo1.maven.org/maven2/com/beust/jcommander/) and requires Java 8 (https://github.com/cbeust/jcommander/blob/aa70b568948d310899cda74e235733a8c23136ef/build.gradle.kts#L44).

The only vulnerability that I know of for jCommander is cbeust/jcommander#465 or https://security.snyk.io/vuln/SNYK-JAVA-COMBEUST-174815 . It's about the build script of jcommander - but we don't build jCommand from source, we use the already built jar, that is available in maven central. Do you think, it carries an unknown vulnerability in it (it was released on 2015-04-11)?

[DivyaSrivas]

JCommand latest version dosen't have any vulnerabilities but it is giving exception if we are trying to change it.

Exception in thread "main" java.lang.annotation.AnnotationTypeMismatchException: Incorrectly typed data found for annotation element public abstract java.lang.Class[] com.beust.jcommander.Parameter.validateValueWith() (Found data of type class java.lang.Class[class net.sourceforge.pmd.cli.PMDParameters$RulePriorityValidator])
at java.base/sun.reflect.annotation.AnnotationTypeMismatchExceptionProxy.generateException(AnnotationTypeMismatchExceptionProxy.java:57)
at java.base/sun.reflect.annotation.AnnotationInvocationHandler.invoke(AnnotationInvocationHandler.java:86)
at com.sun.proxy.$Proxy1.validateValueWith(Unknown Source)
at com.beust.jcommander.WrappedParameter.validateValueWith(WrappedParameter.java:64)
at com.beust.jcommander.ParameterDescription.validateValueParameter(ParameterDescription.java:350)
at com.beust.jcommander.ParameterDescription.validateDefaultValues(ParameterDescription.java:164)
at com.beust.jcommander.ParameterDescription.init(ParameterDescription.java:157)
at com.beust.jcommander.ParameterDescription.(ParameterDescription.java:65)
at com.beust.jcommander.JCommander.addDescription(JCommander.java:631)
at com.beust.jcommander.JCommander.createDescriptions(JCommander.java:601)
at com.beust.jcommander.JCommander.(JCommander.java:252)
at com.beust.jcommander.JCommander.(JCommander.java:238)
at com.beust.jcommander.JCommander.(JCommander.java:230)
at net.sourceforge.pmd.cli.PmdParametersParseResult.extractParameters(PmdParametersParseResult.java:104)
at net.sourceforge.pmd.PMD.runPmd(PMD.java:452)
at net.sourceforge.pmd.PMD.main(PMD.java:418)