As requested by Security subcommittee, tracking false positives.

This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate (as of Casablanca Maintenance Release).

The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed.