The Black Duck scanner in particular I've found is really easy to misconfigure to siphon up all sorts of crazy shit. Did some coworker write a one-off support script that uses an ancient container in some random repository? Oops now you've got to answer to why you've got a dozen Debian or Alpine vulns in a product that ships on bare metal RHEL. If your build process is not 100% lunar lander clean, which in the era of ship trash as fast as possible, it's not going to be, you inevitably end up with an absolute deluge of things flagged that you have no idea where they came from or how to explain to some suit that no we're not shipping Debian Jessie in 2025, calm down.