diff --git a/tools/dependency/cve_scan.py b/tools/dependency/cve_scan.py
index 80dcbf9d0df0..24489ae40d5c 100755
--- a/tools/dependency/cve_scan.py
+++ b/tools/dependency/cve_scan.py
@@ -75,20 +75,21 @@
     'CVE-2021-22931',
     'CVE-2021-22939',
     'CVE-2021-22940',
-    # This cve only affects versions of kafka < 2.8.1, but scanner
-    # does not support version matching atm.
-    # Tracking issue to fix versioning:
-    #  https://github.com/envoyproxy/envoy/issues/18354
+    #
+    # Currently, cvescan does not respect/understand versions (see #18354).
+    #
+    # The following CVEs target versions that are not currently used in the Envoy repo.
+    #
+    # libcurl
+    "CVE-2021-22945",
+    #
+    # kafka
     'CVE-2021-38153',
-    # Excluded by version
     #
     # wasmtime
     "CVE-2021-39216",
     "CVE-2021-39218",
     "CVE-2021-39219",
-    #
-    # libcurl
-    "CVE-2021-22945",
 ])
 
 # Subset of CVE fields that are useful below.