I'm seeing warnings for PGP keys that should be perfectly fine.

Take for example my own key:
gpg --recv-key FE73757FA60E4E21B937579FA5880072BBB51E42

If you export it with ascii armor it's perfectly fine:
gpg --export --armor FE73757FA60E4E21B937579FA5880072BBB51E42 > foo.asc
roca-detect foo.asc

However if you take the non-ascii-armor version:
gpg --export FE73757FA60E4E21B937579FA5880072BBB51E42 > foo
roca-detect foo
2017-10-16 22:26:18 [17716] WARNING Fingerprint found in modulus foo idx 237
{"type": "mod-hex", "fname": "foo", "idx": 237, "aux": null, "n": "0x1", "marked": true, "time_years": -1, "price_aws_c4": -1}
2017-10-16 22:26:18 [17716] WARNING Fingerprint found in modulus foo idx 237
{"type": "mod-dec", "fname": "foo", "idx": 237, "aux": null, "n": "0x1", "marked": true, "time_years": -1, "price_aws_c4": -1}

My guess is that it's not properly detecting the pgp key format and interpreting the key as something else which triggers the warning. In any case: I'm 100% sure this key was generated with gpg itself and not any infineon chip, so it can't be vulnerable (unless gpg suffers from the same vuln in some strange way).

For PGP key detection you need ASCII Armored key.

If you don't use that roca has autodetection for several formats and here apparently fallbacks to raw modulus detection. JSON output shows "n": "0x1" meaning detected RSA modulus is 1 which would be considered vulnerable which is not your real modulus I suppose :)