The current SQL Server Express 2019 installer used by the dockerfile is apparently including a vulnerable LOG4J JAR that is showing up in vulnerability scans.

Container file path that's showing up in security scans done by IT:
DRIVE:\dockerdata\windowsfilter\869666e4dae5aa60edf70e274db674aaf066faf05ef2f2a9baef1f834743cbca\Files\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Dockerfile would imply that an RTM version of 2019 is being used? Not sure if it's possible provide a CU16 patched version of SQL express. I can't seem to find one.

Now as far as I can tell the container doesn't include any of the java language extensions, machine learning or even include the JRE which would be needed for this to execute or be an issue.

Am I correct in interpreting this as a non-issue and the container or host machine are not vulnerable to any log4j exploits?

Thanks!

Correct - no java is used in the container.