This is a tricky one :
The rule is implemented rather naively and not relying on the context where the IV is used. When used in decrypt it is safe to not randomly initialized it.
So, contrary to what @Lena mentioned (sorry mate 
) it is safe in your case. The rule just check that when you construct an IV in a method, some secureRandom call is made in that method.
It should be improved with dataflow analysis at some point, in the meantime you can mark the issue as false positive.
Thanks for the feedback.