I created a Jenkins pipeline that performs a daily vulnerability check (I'm using OWASP Dependency-Check) of my Java projects (Maven and Spring Boot).
It often happens that vulnerabilities are discovered. In the case of direct dependencies: Sometimes it's enough to update the version of my dependencies, while other times it's not (if there isn't a new version), so I find myself having to temporarily suppress vulnerabilities and wait for new updates.
In the case of transitive dependencies: I always have Spring Boot updated to the latest version (2.x). However, sometimes it happens that vulnerabilities are caused by Spring Boot itself, which in turn imports other vulnerable dependencies. Many times, these vulnerable dependencies have new versions.
Question: is it a good practice to define the same dependency in my pom with the non-vulnerable version or is it better to wait for this to be updated in the next version of Spring Boot (I'm taking Spring Boot as an example but it could be any other dependency)
If the vulnerability seems to be dangerous in your context, I would immediately try to update the dependency in the POM. Of course, you need to make sure the project still runs because new dependencies might break functionality.
In the POM I would put a comment right next to the dependency that this was added or overridden due to a vulnerability and should be rolled back once the Spring Boot version fixes the issue.