Improve detection of CVE-affected components

[ctrueden]

As discussed in this Zulip thread, we can do more to check for CVEs impacting dependencies in SciJava-based projects:

1. Any build extending pom-scijava-base (either directly or indirectly via pom-scijava) should have an easily accessible build mode (goal, profile, whatever) for running the dependency-check-maven-plugin from org.owasp to check its dependency tree for security issues.
2. Any BOM extend pom-scijava-base (notably pom-scijava, but not necessarily limited to that) should be able to invoke the dependency-check-maven-plugin as well on all managed components, not just active dependencies.
3. Trickier are managed JAR components that wrap native code. It might be limitedly possible to catch them with the dependency-check-maven-plugin by ensuring all the scanning modes are enabled:

   <configuration>
       <assemblyAnalyzerEnabled>true</assemblyAnalyzerEnabled>
       <archiveAnalyzerEnabled>true</archiveAnalyzerEnabled>
       <jarAnalyzerEnabled>true</jarAnalyzerEnabled>
   </configuration>

   but it's imperfect at best.

We do already use Dependabot on GitHub with both pom-scijava-base and pom-scijava, but it has not reported much of anything in recent years, so I wonder how effective those scans actually are.