The simple fact is that all automated web application scanning tools have a trade-off between false positives (flagging an issue when it's not present) and false negatives (not flagging an issue that is present) and they have to make a balance between the two as part of the product development.
The way issues like the one you describe are generally coded is to make the request for directory traversal to /etc/passwd and then string match in the response for things which would commonly be present in a passwd file.
So a naive approach might be to look for things like root
which could be the root user in a passwd file, but could obviously also occur in other files.
To address that the scanner can match more precise strings, but then it risks missing the finding if the string isn't exactly in the passwd file, so then it can assign probabilities to several sets of strings and decide at what level of probability to report the issue.
At the end of the day scanning is not 100% precise for all issues, which is why security testers are still in a job ...