We are currently using hibernateentitymanager-3.6.8.Final.jar and the veracode analysis found this bug in JarVisitorFactory.java in lines (68, 79, 82, 140, 169 and 172):
This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
is this a false positive?