jasperreports v6.4.0 seems to be vulnerable to some security threats brought in by dependencies.
CVE-2014-3577 affects versions before 4.3.5
Current version is 4.5.3
CVE-2017-5644 affects versions before 3.15
Uses vulnerable commons-collections 3.2.1 (although jasperreports itself has 3.2.2 dependency (which is secure)
Fix version is 1.4.1, which uses org.apache.commons:commons-collections4 4.1
CVE-2016-2510 (CVVS 3 score 8.1)
Update to org.apache-extras.beanshell:bsh v2.0b6 or later.
Whilst there may be individual threats that may not apply in the context of jasperreports, the problem is that the threats are flagged up by scanning tools.