False/positive on log4j-api
murphy85 opened this issue · comments
Github lists both files, log4j-api and log4j-core, as vulnerable. As far as I know, this is not true. Only log4j-core is affected.
This is really important, because a lot of projects are using log4j-api, but do not use log4j-core (e.g. default Spring Boot projects).
vuln file:
vuln-list/ghsa/maven/org.apache.logging.log4j/log4j-api/GHSA-jfh8-c2jp-5v3q.json
source:
GHSA-jfh8-c2jp-5v3q
I guess, you cannot change anything, but maybe you know how to deal with false/positive data like this.
Duplicate aquasecurity/trivy#1463