Imagine you are maintainer of a dependency (e.g. Cap'n'Proto) which receive CVEs but you are also maintainer of its dependent (Lix) and you know that the dependent use of the dependency is not conducive to produce the effects of the CVE. In such scenarios, it is desireable to be able to mark the dependent as non-affected with a comment (that can be scrutinized/revoked/etc. — it's not perfect).
Note: the Golang ecosystem is capable of calculating this information automatically by CFG analysis. Other ecosystems usually do not have this capacity, especially given that CVE do not tell you which function is vulnerable so you cannot redo the CFG analysis in other languages even if the static analysis would permit it.
Imagine you are maintainer of a dependency (e.g. Cap'n'Proto) which receive CVEs but you are also maintainer of its dependent (Lix) and you know that the dependent use of the dependency is not conducive to produce the effects of the CVE. In such scenarios, it is desireable to be able to mark the dependent as non-affected with a comment (that can be scrutinized/revoked/etc. — it's not perfect).
Note: the Golang ecosystem is capable of calculating this information automatically by CFG analysis. Other ecosystems usually do not have this capacity, especially given that CVE do not tell you which function is vulnerable so you cannot redo the CFG analysis in other languages even if the static analysis would permit it.