1. implement suppressions (false-positives), likely through plugin configuration in parent POMs
2. provide a default suppressionFile in build-resources module
3. also configure a project-specific location, so that projects can add more suppressions, without requiring parent pom re-release
4. let's not bind the check goal to any phase yet
5. for local run: mvn dependency-check:check, typically mostly relevant in webapps
6. for CI runs: add a separate pipeline step to magnoliaPacksPipeline I believe, invoking the mvn command above
7. add a report configuration for site-generation, using the aggregate goal on module parent (nice to have)
8. estimate load on CI from vulnerability database updates

Initial research goal (fulfilled): estimate initial effort to discard false positives such as the one mentioned on the CVE scans research log.
=> suppressions may not be that hard, and upon second look amount of false-positives seems manageable.