I have a project that uses spring boot 1.3.8.RELEASE, so it contains the dependencies listed here: https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/1.3.8.RELEASE/spring-boot-dependencies-1.3.8.RELEASE.pom
In the list of dependencies you can see javassist:javassist:3.18.1-GA is included and this version of this component has vulnerabilities.
Anyway in the dependency:tree of the project it is not included neither the jar is downloaded. But JFrog XRay complains my project is vulnerable.
Is there any way in the pom or in a project config file to tell him this dependency is unused so it can be ignored?
Am I wrong and my project is vulnerable as long as it uses a component (spring boot 1.3.8) somehow referring javassist? Can I solve this without upgrading?
** Please ignore spring boot 1.3.8 has more vulnerabilities, I am focusing in javassist, that I am not using