and especially this note included in the documentation:
The CVE scanner might show false positives as it does not check whether the vulnerability actually exists.
Generally the CVE scanner is only taking the version like 1.14.0 into account without checking more specific distribution specific version suffixes like the Ubuntu one. This is by design and the expected functionality.
and reports all CVEs affecting this version. As the NVD database (which is the info from which the CVE scanner is taking the vulnerability information) doesn’t maintain distribution versions like 1.14.0-0ubuntu1.9 the CVE scanner can’t do that as well (at least not as it is currently designed / implemented).