FYI, I raised a https://github.com/jeremylong/DependencyCheck/issues/6798 for the https://github.com/pedestal/pedestal/blob/b5de88e453b47c095f348f719f416dc463c42618/nvd_suppressions.xml#L14-L20.
Some tips for CI: the underlying data feeds have changed, they now 1. require a token 2. support downloading of vulnerability db changes only 3. are currently undergoing some stress so an entire vulnerability db can take a long time (up to 35m!) 4. item 2 reduces item 3 to under 2 minutes if you CI cache the vulnerability db Also as of this writing https://github.com/rm-hull/nvd-clojure/issues/178, so you'll need to compensate, or you won't have any success.
My challenge was with the token itself, it seemed to get rejected. Haven't revisited this lately, may take another crack at it next week.
Thanks, I "temporarily" disabled the NVD checks a few months back because I was having trouble getting them to run under CI. I need to fix that as well!
We have set this up on clj-yaml and pomegranate, lemme know if you need a hand.