Fix dependency checks

.github/workflows/dependency-vulnerabilities.yml

@@ -52,4 +52,4 @@ jobs:
     - name: Check clojure dependencies with NVD
       env:
         NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
-      run: bin/clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :config-filename '".nvd-config.edn"' :classpath "\"$(../bin/clojure -Spath)\""
+      run: bin/clojure -J-Dclojure.main.report=stderr -Sdeps '{:deps {org.owasp/dependency-check-maven {:mvn/version "10.0.2"}}}' -Tnvd nvd.task/check :config-filename '".nvd-config.edn"' :classpath "\"$(bin/clojure -Spath)\""

.nvd-config.edn

@@ -0,0 +1,8 @@
+;;; SPDX-FileCopyrightText: 2024 Jomco B.V.
+;;; SPDX-FileCopyrightText: 2024 Topsector Logistiek
+;;; SPDX-FileContributor: Joost Diepenmaat <joost@jomco.nl
+;;; SPDX-FileContributor: Remco van 't Veer <remco@jomco.nl>
+;;;
+;;; SPDX-License-Identifier: AGPL-3.0-or-later
+
+{:suppression-file ".nvd-suppressions.xml"}

.nvd-suppressions.xml

@@ -0,0 +1,18 @@
+<!--
+SPDX-FileCopyrightText: 2024 Topsector Logistiek
+SPDX-FileCopyrightText: 2024 Jomco B.V.
+SPDX-FileContributor: Joost Diepenmaat <joost@jomco.nl>
+SPDX-FileContributor: Remco van 't Veer <remco@jomco.nl>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <!-- This is an automatically generated config file by nvd-clojure. -->
+  <!-- Feel free to tweak it, version-control it and remove any comment. -->
+  <!-- You can find suppression examples in https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
+      <suppress>
+        <notes>This is a vulnerability in clojure before 1.9.0, which we are not using</notes>
+        <cve>CVE-2017-20189</cve>
+    </suppress>
+</suppressions>