Does FractalScan recognise Backport patching?
Backporting is a software patching approach where a patch or update is taken from a recent version of software and applied to an older version of the same software. There is a good explanation here: What is Backporting
If you use the backporting approach then FractalScan may still flag the software version as being at risk. FractalScan reports on what it is able to see passively, it does not have the level of access required to be able to determine that vulnerabilities have been addressed through backports.
The current approach taken by FractalScan regarding risk reporting is to report observations that might be a problem, even if closer inspection of the servers, by the team managing them, shows the risk to be resolved via a backport.
To help with managing this, you can mark a risk as 'ignored' (you can find guidance here) so that it doesn't appear in the results. This has the added benefit that if new CVEs are found against the software version, this will show up as new risks to investigate.