Github lists both files, log4j-api and log4j-core, as vulnerable. As far as I know, this is not true. Only log4j-core is affected.
This is really important, because a lot of projects are using log4j-api, but do not use log4j-core (e.g. default Spring Boot projects).
murphy85
commented
2 years ago
Github lists both files, log4j-api and log4j-core, as vulnerable. As far as I know, this is not true. Only log4j-core is affected. This is really important, because a lot of projects are using log4j-api, but do not use log4j-core (e.g. default Spring Boot projects).
vuln file: vuln-list/ghsa/maven/org.apache.logging.log4j/log4j-api/GHSA-jfh8-c2jp-5v3q.json
source: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
I guess, you cannot change anything, but maybe you know how to deal with false/positive data like this.