Nik Bougalis (a member of Ripple's C++ team) posted a response to this a few days ago: https://www.xrpchat.com/topic/2674-fud-or-legit/#comment-24048

The short version is this: We run these same kinds of tests ourselves. Automated testing tools produce lots of false positives. Also, their reference to JNI (which has no applicability to rippled whatsoever) suggests they may have scanned repositories other than rippled that contain unsupported or experimental tools that don't have any security implications anyway.