Sébastien,
The mentioned snippet suppresses “all vulnerabilities registered against any of the listed cpe’s” for dependencies that match the given gav.
The gav is used for matching, and if it matches the suppression rules suppress the recognition of that gav as any of the listed cpe’s.
The cpe-based suppression is to be used if the analysis makes a false-positive link to some product.
See also the XSD for the suppressions file:
The first choice within the suppress element determines the matching criteria (filepath/sha1/gav) and the second the items that are to be suppressed (cpe/cve/cwe/cvssBelow)
Regards,