docker-java 3.3.0 has a transitive dependency on bcprov-jdk15on 1.66 via bcpkix-jdk15on 1.66.

The former has a vulnerability CVE-2020-15522

Whilst this vulnerability may (or may not) impact docker-java, it will still be picked up by SCA tools and reported as being a potential problem.

There is a fix available and thus an upgrade of ${bouncycastle.version} should sort things out.

• An upgrade to 1.67 will address the vulnerability, as well as CVE-2020-28052 (affects 1.65 and 1.67)
• An upgrade to 1.70 will use the last version released of bcpkix-jdk15on
• The latest version of bouncy castle is 1.73 (and addresses a security advisory that does not have a CVE). This would nessitate updating the component artifactId to bcpkix-jdk18on. See Latest Java Releases