This is a false positive, because this image is not actually using the bind daemon, but the 'host' utility from the 'bind' derivation.
So likely we should fix this with Nix-Security-WG/nix-security-tracker#184 . This will require some work on the inventory collection, as our current inventory does not expose which output of a derivation has the dependency on a component.
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2023-3341 in bind.
This is a false positive, because this image is not actually using the bind daemon, but the 'host' utility from the 'bind' derivation.
So likely we should fix this with Nix-Security-WG/nix-security-tracker#184 . This will require some work on the inventory collection, as our current inventory does not expose which output of a derivation has the dependency on a component.