This post really highlights what a pain it is to hunt down those vulnerable Log4j versions, especially when they're buried deep in other JARs. It’s a classic software supply chain headache. It makes you think, a tool like ZAST.AI that's built for software supply chain security could probably make finding and fixing this stuff much more automatic.