I think there are a few false positives reported with maven-dependency-check version: 3.3.1
See jeremylong/DependencyCheck#1328 where the same was reported for spring-batch 3.0.8.RELEASE.
The same issues appear now for spring-batch packages in version: 3.0.9

The affected CVEs are: CVE-2018-1271, CVE-2018-1270, CVE-2016-9878, CVE-2018-1272
The affected files are:

Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1270
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1270
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2016-9878
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1271
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1272
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2016-9878
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1271
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1272

Maven coordinates

      <dependency>
        <groupId>org.springframework.batch</groupId>
        <artifactId>spring-batch-core</artifactId>
        <version>3.0.9.RELEASE</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.batch</groupId>
        <artifactId>spring-batch-infrastructure</artifactId>
        <version>3.0.9.RELEASE</version>
      </dependency>