Github lists both files, log4j-api and log4j-core, as vulnerable. As far as I know, this is not true. Only log4j-core is affected.
This is really important, because a lot of projects are using log4j-api, but do not use log4j-core (e.g. default Spring Boot projects).

vuln file:
vuln-list/ghsa/maven/org.apache.logging.log4j/log4j-api/GHSA-jfh8-c2jp-5v3q.json

source:
GHSA-jfh8-c2jp-5v3q

I guess, you cannot change anything, but maybe you know how to deal with false/positive data like this.

Duplicate aquasecurity/trivy#1463