Hi,
You’re looking at a report for a non-current version of the LTS. SonarQube 8.9.6 was released in late December, and 8.9.7 is imminent.
SonarQube only has a test dependency on Log4J and that dependency is updated to the latest fix versions in 8.9.6 LTS and in 9.3.
You may find this thread helpful.
Ann