Some internal accounts are created in PXC 8.0.x for XtraBackup.
The last one is generated with no password.
The mysql.pxc.sst.role is the MySQL role that provides the privileges needed for XtraBackup. This allows for easy addition/removal of privileges needed for an SST.
So this account is triggering an alert by "MySQL Empty Password" check.
mysql.pxc.sst.role user has to be excluded as a false positive from this check.
Note we should not just "ignore these users" but see if we can incorporate a check to ignore users with blank passwords that are locked... that way if the user account is inadvertantly unlocked it WILL alert...and WILL be a security issue.