Nexus IQ remediation and JBOSS


I am kind of new to Nexus IQ. We have a number of java apps running on Redhat Jboss EAP severs. Quite a number of the violations picked up by Nexus IQ are transitive dependencies supplied by the app server. Remediating those by upping the version is kind of a snake pit. Does anyone have a suggested path or pattern for dealing with these? Example:
com.fasterxml.jackson.core : jackson-databind : 2.5.4 is flagged as Security-Critical. Swapping this out to a violation free version 2.11.0 is not a simple matter. How do folks deal with this? Waivers? Overriding the dependencies provided by JBOSS?? If I am in the wrong place, please let me know.