Spotfire Streaming through version 11.1 includes the H2 Database [https://www.h2database.com/] (file location: distrib/tibco/3rdparty/java/h2.jar) which is associated with several CVEs. Spotfire has reviewed the CVEs and at time of writing, no CVE vulnerability applies to the manner in which H2 is used in Live Datamart. Configurations are available that avoid the use of H2 and allow the h2.jar to be removed from the installation entirely to avoid it appearing on vulnerability scans.

The H2 database h2.jar may be deleted if any of the following are true:

A. The application does not use or include a LiveView Fragment project. No pom.xml includes text "<packaging>ep-liveview-fragment</packaging>". 

B. The application is configured to store Live Datamart metadata in JDBC or TRANSACTIONAL_MEMORY and not LOCAL as described in the product documentation here:
  TIBCO Streaming > LiveView Admin Guide > LiveView Metadata Store
and the metadataStore, storeType setting described here:
  TIBCO Streaming > Configuration Guide > LiveView Configuration Types > LiveView Engine Configuration

The default locations of the h2.jar file for server installations are:
  C:\tibco\str\11.1\distrib\tibco\3rdparty\java\h2.jar
and:
  /opt/tibco/str/11.1/distrib/tibco/3rdparty/java/h2.jar

Once no use of H2 is confirmed in your application configuration, you may delete the h2.jar file from all Spotfire Streaming installations in developer, test, and production environments.

Spotfire Streaming Live Datamart H2 database use does not expose CVE vulnerabilities and the H2 implementation may also be excluded from deployment.