False Positive: SLScan Misidentifies Redis Python Package as Redis Server

[ayush11122]

I am currently using SLScan in our Pipeline to do DepScan.

pipelines:
  custom:
    Sprinto-Slscan:
      - step:
          name: Slscan
          image: shiftleft/scan:latest
          script:
            - scan --type depscan --no-error
            - cat reports/depscan-report-*.json > reports/depscan-report.json 2>/dev/null || true
            - zip reports/all-reports.zip reports/*

now my requirement.txt file for python code base is like this

prefect==3.0.1
fastapi
elasticsearch[async]==7.10.1
loguru==0.7.2
redis==5.2.1
pymongo==4.9.1
psycopg2-binary==2.9.10
dotty-dict==1.3.1

and in return to this after scanning it is giving me these Vulnerabilities. in report

• scan --type depscan --no-error

�[36m███████╗ ██████╗ █████╗ ███╗ ██╗�[0m
�[36m██╔════╝██╔════╝██╔══██╗████╗ ██║�[0m
�[36m███████╗██║ ███████║██╔██╗ ██║�[0m
�[36m╚════██║██║ ██╔══██║██║╚██╗██║�[0m
�[36m███████║╚██████╗██║ ██║██║ ╚████║�[0m
�[36m╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝�[0m

�[2;36m[22:35:10]�[0m�[2;36m �[0m�[34mINFO �[0m Scanning �[35m/opt/atlassian/pipelines/agent/�[0m�[95mbuild�[0m using plugins �[1m[�[0m�[32m'depscan'�[0m�[1m]�[0m
�[3m Dependency Scan Results (universal) �[0m
╔════════════════╤══════════════════════╤═════════════════════╤═════════╤═════════════╤══════════╤═══════╗
║�[1;35m �[0m�[1;35mCVE �[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mPackage �[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mInsights �[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mVersion�[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mFix Version�[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mSeverity�[0m�[1;35m �[0m│�[1;35m �[0m�[1;35mScore�[0m�[1;35m �[0m║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2022-24834 │ pkg:pypi/redis@5.2.1 │ 🧾 Vendor Confirmed │ 5.2.1 │ 6.2.14 │ HIGH │ 8.8 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2022-36021 │ pkg:pypi/redis@5.2.1 │ │ 5.2.1 │ 6.2.14 │ MEDIUM │ 5.5 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2023-28856 │ pkg:pypi/redis@5.2.1 │ 🧾 Vendor Confirmed │ 5.2.1 │ 6.2.14 │ MEDIUM │ 6.5 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2021-31294 │ pkg:pypi/redis@5.2.1 │ │ 5.2.1 │ 6.2.14 │ MEDIUM │ 5.9 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2022-24735 │ pkg:pypi/redis@5.2.1 │ 🧾 Vendor Confirmed │ 5.2.1 │ 6.2.14 │ HIGH │ 7.8 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2022-24736 │ pkg:pypi/redis@5.2.1 │ 🧾 Vendor Confirmed │ 5.2.1 │ 6.2.14 │ MEDIUM │ 5.5 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2023-25155 │ pkg:pypi/redis@5.2.1 │ │ 5.2.1 │ 6.2.14 │ MEDIUM │ 6.5 ║
╟────────────────┼──────────────────────┼─────────────────────┼─────────┼─────────────┼──────────┼───────╢
║ CVE-2023-45145 │ pkg:pypi/redis@5.2.1 │ 🧾 Vendor Confirmed │ 5.2.1 │ 6.2.14 │ LOW │ 3.6 ║
╚════════════════╧══════════════════════╧═════════════════════╧═════════╧═════════════╧══════════╧═══════╝
╭────────────── Recommendation ───────────────╮
│ ✅ No package requires immediate attention. │
╰─────────────────────────────────────────────╯

but here in these vulnerabilities it is comparing my redis-cli version with CVE of Redis Server and giving me the vulnerabilities in Dependency Scan Results.

This is not accurate as dependency should not be compared against database/server CVE