Remediation of CVEs is part of an ongoing effort in DV 1.7.x (CP4D 4.0.x). The same is not available for DV 1.5 that you have asked about, and nor are updates for DV 1.5 being provided. All customers still using DV versions prior to DV 1.7.x/CP4D 4.0.x are urged to upgrade to DV on CP4D 4.0.x to benefit from the remediation effort and fixes.
With regard to your question, whether they are legitimate or false positives, there is a significant change between DV 1.5 and 1.7 that makes comparison of any list of CVEs difficult. So it is hard to say unless referring to a specific CVE, whether it was analyzed as legitimate or false positive, or if there is a fix already delivered in DV 1.7.x.
Hope this answers your question.