One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp:

magnolia-empty-webapp-6.2.8-SNAPSHOT.war: xz-1.8.jar (cpe:2.3:a:tukaani:xz:1.8:::::::*) : CVE-2015-4035

From https://nvd.nist.gov/vuln/detail/CVE-2015-4035
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Looks like a false positive - version used by Magnolia is https://git.tukaani.org/?p=xz-java.git;a=summary  and does not have such file scripts/xzgrep.in