diff --git a/pkg/ociwclayer/import.go b/pkg/ociwclayer/import.go
index 4ebfbbc2f7..07cd4a9b77 100644
--- a/pkg/ociwclayer/import.go
+++ b/pkg/ociwclayer/import.go
@@ -61,8 +61,7 @@ func ImportLayerFromTar(ctx context.Context, r io.Reader, path string, parentLay
 
 func writeLayerFromTar(ctx context.Context, r io.Reader, w wclayer.LayerWriter, root string) (int64, error) {
 	t := tar.NewReader(r)
-	// CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always
-	// bound to the layer root directory.
+	// CodeQL [SM03409] `internal\wclayer` uses `internal/safefile` to bind tar extraction to the layer's root directory.
 	hdr, err := t.Next()
 	totalSize := int64(0)
 	buf := bufio.NewWriter(nil)
@@ -80,16 +79,14 @@ func writeLayerFromTar(ctx context.Context, r io.Reader, w wclayer.LayerWriter,
 			if err != nil {
 				return 0, err
 			}
-			// CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always
-			// bound to the layer root directory.
+			// CodeQL [SM03409] `internal\wclayer` uses `internal/safefile` to bind tar extraction to the layer's root directory.
 			hdr, err = t.Next()
 		} else if hdr.Typeflag == tar.TypeLink {
 			err = w.AddLink(filepath.FromSlash(hdr.Name), filepath.FromSlash(hdr.Linkname))
 			if err != nil {
 				return 0, err
 			}
-			// CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always
-			// bound to the layer root directory.
+			// CodeQL [SM03409] `internal\wclayer` uses `internal/safefile` to bind tar extraction to the layer's root directory.
 			hdr, err = t.Next()
 		} else {
 			var (