ci: vulnerability scan tweaks

- Replace config.json with nvd-clojure.edn.
- Bump dependency-check
- Increase nvd max retry count from 10 to 30. The idea here is that if
the NIST data feeds are struggling (as they happen to be now), more
retries might just allow us to successfully download and cache a db.
Subsequent runs would then use the cached db and avoid the costly
attempt to retry re-downloading the entire db again.

Author: lread

bb.edn

@@ -55,7 +55,7 @@
           :task (let [cp (with-out-str (clojure "-Spath"))]
                   (clojure {:dir "./nvd_check_helper_project"}
                            "-J-Dclojure.main.report=stderr -M -m nvd.task.check"
-                           "./config.json"
+                           "./nvd-clojure.edn"
                            cp))}
          pubcheck
          {:doc "run only publish checks (without publishing)"

nvd_check_helper_project/config.json

@@ -4,4 +4,4 @@
         #_:clj-kondo/ignore
         {:mvn/version "RELEASE"}
         ;; temporarily try bumping transitive dep to current release
-        org.owasp/dependency-check-core {:mvn/version "11.0.0"}}}
+        org.owasp/dependency-check-core {:mvn/version "11.1.0"}}}

nvd_check_helper_project/deps.edn

@@ -0,0 +1,3 @@
+{:delete-config? false
+ :nvd {:nvd-api {:max-retry-count 30}}
+ :suppression-file "./suppressions.xml"}