Unless I have misunderstood, this vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1. I have scanned a directory that contains 2.0.2 and it didn't show up, presumably as there isn't a hash for it. I can supply a hash or a PR if needed.