Yeah cool, I overwrite the settings anyway. The release notes for 8.9.4 and 9.2.2 say “SonarQube versions update Log4J to a non-vulnerable version” But that is not the case can you comment on that? This was actually the point of my original statement.
What I would like is either “i’m being dumb because…” or “Oops we made a mistake and we’ve fixed it…”
Then we can all move on to something more important. My clients would just like to have a clear statement about the state of systems so they can stop stressing.