For reference I've included the OVAL datasets [1] [2] for Debian and Ubuntu, as well as the CVE list [3] for Debian that's used as a basis for generating the issues/view in the frontend. For argument's sake (feature freezes are bad for security is my baseline argument) I'm focussing on Ubuntu LTS which is jammy at the time.
The issue terminology you want to look for is "diverged too much from upstream" or a bunch of different similar EOL or end-of-life or "end of life" tags that are not standardized in any security tracker's format. I'd argue that both security teams use a software that uses free-form textareas for setting the tags of the issues (e.g. closed, fixed, and other).
Accumulative word list that might be incomplete, to discover those kind of issues:
- "bug, not a security problem"
- "cannot reproduce"
- "eol"
- "end-of-life"
- "end of standard support"
- "end of esm support"
- "out of standard support"
- "reached end of life"
- "ignored"
- "changes too intrusive"
- "contains no code"
- "code is different"
- "code is very different"
- "code not built"
- "code not compiled"
- "code-not-compiled"
- "code not present"
- "code not-present"
- "code-not-present"
- "code not shipped"
- "not-in-code"
- "disputed"
- "fix would break"
- "intrusive"
- "not remotely exploitable"
- "was deferred"
- "was needed"
- "was pending"
- "no server code"
- "no update available"
- "no security impact"
- "not available"
- "not security vulnerability"
- "not supported"
- "not upstream fix"
- "ugly backport"
- "update not available"
- "upstream version is not redistributable"
- "removed from archive"
- "replaced by"
- "superseded"
- "superseded by"
- "too intrusive"
Source: Am building a scraper and vulnerability database that is cross-distro, and has different confidence factors for different linux distributions (for mentioned reasons). [4]