possible bug - Check log4j vulnerabilities being reported for correct packages

Summary

A customer running ~"Category:Dependency Scanning" believes we are over-reporting the CVE-2021-44228 vulnerability

this dependencyCheck plugin flags log4j-api and log4j-to-slf4j for CVE-2021-44228 and at this time our guidance is that the vulnerability is only exposed via the log4j-core dependency

What is the current bug behavior?

log4j-api has a finding

What is the expected correct behavior?

it does not

Cause

If customer got this finding while it was still active they need to manually action it (close/mark false positive) as we don't have a way to automatically action it today.