cfml

We build our docker container from `ortussolutions/commandbox:jdk11-alpine` and just hooked Snyk package scanning up to our amazon ECR, it's giving us a critical warning that our image is bundling in log4j 1.2 in the file:
```/app/server/WEB-INF/lucee-server/felix-cache/bundle58/version0.0@* › org.zenframework.z8.dependencies.commons:log4j-1.2.17@2.0 › log4j:log4j@1.2.17```
Does anyone know what the zenframework is about, the repo online appears very old with little detail. We're using lucee-light@5.3.9.133 with extensions (axis, esapi, image, json, jtds, memcached, pdf, s3), I thought lucee was log4j free? so I'm not sure how/why this would be getting bundled, has anyone else been warned of this?

Which version of command box? Never heard of the this zen framework

This would be the latest version of commandbox

Is there any way to find out why lucee or this felix-cache is bundling dependancies