The problem is the version range in the CVE is wrong: it says all versions are affected, while in fact this issue was fixed in 4.5.1
The best way to solve this issue would probably be to ingest the NVD feed, as https://nvd.nist.gov/vuln/detail/CVE-2023-3576 correctly has the version range as 'affected up to 4.5.1' Nix-Security-WG/nix-local-security-scanner#47.
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/736a64d37eaddec5f6621f067782f2cbc8e40a73, it reports CVE-2023-3576 in libtiff.
The problem is the version range in the CVE is wrong: it says all versions are affected, while in fact this issue was fixed in 4.5.1
The best way to solve this issue would probably be to ingest the NVD feed, as https://nvd.nist.gov/vuln/detail/CVE-2023-3576 correctly has the version range as 'affected up to 4.5.1' Nix-Security-WG/nix-local-security-scanner#47.
GHSA does not have this improved data yet at the time of writing this issue (https://github.com/advisories/GHSA-qfgr-f5j7-2xxf)