There is no official documentation, although we have posted updates in this forum (which are “official”). We never used the vulnerable methods.
And, we actually removed the relevant dependencies anyways in SonarQube v9.8 before SonarQube v9.9 was released. Is this coming up on a scan you’re doing of the binaries, or just a box you need to tick off?