Does assert methods needed in @testSetup?

No, you don't need to include Asserts in @TestSetup methods.

You could make a note of the fact that this is such a method in your False Positives document that should accompany the security scan results though.

I don't think we actually even do that any more as the security team will be familiar with this scan result, but as a best practice, I don't see the harm in including a note in the False Positive doc.

Note: If you really did want to make your code look super stunning great, I guess, after @testSetup you could "query" back any inserted data and assert that the correct number of rows now existed?! There's a thought.

The missing assert rule for Checkmarx is a quality rule, not a security rule. Quality rules are not relevant for the security review -- you can run the scan to be security rules only if you want.

Also this issue is a false positive and will be addressed in the next release of the scanner (3.2).