Looking at the following image registry.access.redhat.com/ubi9/python-311:9.5-1733172699 we can see that it has two python RPMs from which the following setuptools were installed:
package: /usr/lib/python3.11/site-packages/setuptools-65.5.1.dist-info, RPM: python3.11-setuptools-65.5.1-3.el9.noarch
package: /usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info, RPM: python3-setuptools-53.0.0-13.el9.noarch
 
And we can identify the following files were installed from those RPMs by running the following:
rpm -ql python3.11-setuptools-65.5.1-3.el9.noarch | grep "/usr/lib/python3.11/site-packages/setuptools-65.5.1.dist-info"
rpm -ql python3-setuptools-53.0.0-13.el9.noarch | grep "/usr/lib/python3.9/site-packages/setuptools-53.0.0.dist-info"
 
However we have another python setuptools installed in that image under the path /opt/app-root/lib/python3.11/site-packages/setuptools-65.5.1.dist-info/
This path was not installed from any of those RPMs, but instead it was installed as part of a venv installation executed by the folllowing dockerfile RUN command
RUN python3.11 m venv ${APP_ROOT} && ${APP_ROOT}/bin/pip install /opt/wheels/pip* && rm -r /opt/wheels && chown -R 1001:0 ${APP_ROOT} && fix-permissions ${APP_ROOT} -P && rpm-file-permissions && echo "unset BASH_ENV PROMPT_COMMAND ENV" >> ${APP_ROOT}/bin/activateENV BASH_ENV="${APP_ROOT}/
 
From python vulnerability advisory we get that it's vulnerable below 70.0.0 here.
But Redhat's advisory says both versions are fixed on RHEL9 here.
Thing is - we can exclude 3rd party vulnerabilities based on Redhat feed only when we can tell for sure that they were installed from a specific RPM. but the setuptools installed in /opt/app-root/lib/python3.11/site-packages/setuptools-65.5.1.dist-info/  did not come from an RPM but from a different venv installation, so the question is - what is the expected behavior in this specific case and in the general case of finding a package similar to one from an RPM that wasn't installed from the RPM?