See BUILD-611. In this case, log4j dependency comes transitively via Magnolia's bom/main and does not affect the blossom module itself directly.
Third-party libraries unrelated to Spring are already scanned for CVEs in dx-core and add-ons.