You are using a community release. Community releases are "developer friendly". About the only security-related consideration for community edition is that by default it connects to localhost, thus it will accept only traffic from that same PC. If you change that, then you have to lock it down. So the fact that there are security alerts is expected for a community release.
The EAP releases, on the other hand, are locked down out-of-the-box. If a security scanner find problems with that, then I suspect the EAP team would want to hear about it .