MINOR: document how to deal with advisories for dependencies

cve-list.html

@@ -7,7 +7,19 @@
 
 <h1>Apache Kafka Security Vulnerabilities</h1>
 
+<p>
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+</p>
+
+<p>
+This page does <b>not</b> list security advisories for dependencies of Kafka.
+If your security scanner warns that there is an advisory for a dependency of Kafka, please
+see <a href="https://security.apache.org/report-dependency/">this documentation</a>. You can find the current development versions
+of various dependencies <a href="https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle">here</a>.
+You can find a list of advisories that have been confirmed not to
+apply to Kafka <a href="https://github.com/apache/kafka/blob/trunk/gradle/resources/dependencycheck-suppressions.xml">here</a>.
+You are invited to <a href="https://kafka.apache.org/contributing.html">contribute</a> version updates or (motivated) suppressions.
+</p>
 
       <h2 id="CVE-2024-31141"><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-31141">CVE-2024-31141</a> Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients</h2>