It's awful that a system meant for the benefit of maintainers and users is now being perverted into such theatrics. In a way, if you want to undermine the concept of security this is one of the ways you can do it.
On the user side of this token I experience similar theatrics. Monthly I have to deal with a list of vulnerabilities that are detected within our software. Some are easy fixes, like updating a package manager which equates to just rerunning a pipeline. Others are not, and I found myself recently trying to rebuild an entire container build process because the software is on a biannual release process and they'd used the x/crypto package in Go which contains an SSH client and server. The server was vulnerable and the software we were using made use of the client, but not the server. Regardless our software was flagged with a high vulnerability. The utilities available are smart enough to take apart my Go binary during container inspection but not smart enough to figure out if I actually use the vulnerable thing. The resulting toil and theatrics aren't just a time waster, they're a soul sucking activity laiden with difficult tasks to achieve minor outcomes like, "How do I make sure we miss the possibility of even irrelevant CVEs showing up in the first place" - which is probably not what you want.
On the user side of this token I experience similar theatrics. Monthly I have to deal with a list of vulnerabilities that are detected within our software. Some are easy fixes, like updating a package manager which equates to just rerunning a pipeline. Others are not, and I found myself recently trying to rebuild an entire container build process because the software is on a biannual release process and they'd used the x/crypto package in Go which contains an SSH client and server. The server was vulnerable and the software we were using made use of the client, but not the server. Regardless our software was flagged with a high vulnerability. The utilities available are smart enough to take apart my Go binary during container inspection but not smart enough to figure out if I actually use the vulnerable thing. The resulting toil and theatrics aren't just a time waster, they're a soul sucking activity laiden with difficult tasks to achieve minor outcomes like, "How do I make sure we miss the possibility of even irrelevant CVEs showing up in the first place" - which is probably not what you want.