Vaadin 8 source code (static) analysis for defects and vulnerabilities

I’ve been asked the question as to the framework is secure (or as secure as a GWT-based application can be). A Google search turned up a Coverity scan for the Vaadin GitHub project on, which lists 2 instances of “CWE-352: Cross-Site Request Forgery (CSRF)” in the “CWE Top 25 defects” list (and only those 2). There is a list of other (300+) code defects (not security-related per se) like null pointer dereferences, which probably won’t give management heartache. Just wondering if the scan dated Oct 08, 2015 applies to Vaadin 8, and if there are any more recent scans (on Coverity) or available from Vaadin.