note database location change

Signed-off-by: Sean Corfield <[email protected]>

README.md

@@ -40,8 +40,8 @@ clojure -M:clj-watson scan -p deps.edn
 The first time it runs, it will download the entire vulnerability database, which
 can take several minutes. Subsequent runs will be much faster.
 
-> [!NOTE] 
-> The database is stored in the `/tmp/db/` folder (on macOS/Linux) - in case you ever need to delete that folder, if it looks like the database is corrupted.
+> [!NOTE]
+> The database is stored in your local Maven cache (on macOS/Linux, that's under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently) - in case you ever need to delete that folder, if it looks like the database is corrupted.
 
 `clj-watson` can also be installed as a Clojure CLI tool:
 
@@ -82,7 +82,7 @@ can be shortened to `:p` (matching the `-p` short form of `--deps-edn-path`).
 
 [DependencyCheck](https://github.com/jeremylong/DependencyCheck) is the most
 widely used method among the Clojure/Java SCA tools. It:
-1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally under your `/tmp/db/` folder
+1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally (inside your local Maven cache, under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently).
 3. Scans JARs from dependencies specified in your `deps.edn`
 4. Composes a [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe) based on your dependencies
 5. Returns any matching vulnerabilities
@@ -129,7 +129,7 @@ clojure -J-Dnvd.api.key=<your key here> -Tclj-watson scan :p deps.edn
 Replace `<your key here>` with your actual api key.
 
 > [!CAUTION]
-> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control. 
+> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control.
 
 ##### Via the `clj-watson.properties` File
 
@@ -154,7 +154,7 @@ Or:
 clojure -Tclj-watson scan :p deps.edn :clj-watson-properties ./clj-watson.properties
 ```
 
-> [!CAUTION] 
+> [!CAUTION]
 > Be careful not to commit your key to version control.
 
 ### GitHub Advisory Database [experimental]
@@ -233,7 +233,7 @@ the `--suggest-fix` or `-s` option when running `clj-watson`.
 # Installation
 
 > [!IMPORTANT]
-> You'll need to [setup your NVD API key](#nist-nvd-api). 
+> You'll need to [setup your NVD API key](#nist-nvd-api).
 
 `clj-watson` can be installed as a Clojure CLI tool, as shown above. While
 this is the easiest way to install the latest version and keep it up-to-date
@@ -315,9 +315,7 @@ its own `dependency-check.properties` file, and then look for a
 additional properties to apply to the DependencyCheck scan.
 
 If you provide `-d` (or `--dependency-check-properties`) then `clj-watson` will
-load that file instead of its own `dependency-check.properties` file so it
-needs to be a complete properties file, not just the properties you want to
-override.
+load that file instead of its own `dependency-check.properties` file.
 
 If you provide `-w` (or `--clj-watson-properties`) then `clj-watson` will load
 that file and apply those properties to the dependency-check scan. This is
@@ -331,7 +329,7 @@ file, but it is recommended that you also provide the `-s` option so
 `clj-watson` will try to suggest remediations for any vulnerabilities found.
 
 > [!IMPORTANT]
-> You'll need to first [setup your NVD API key](#nist-nvd-api). 
+> You'll need to first [setup your NVD API key](#nist-nvd-api).
 
 ```bash
 clojure -M:clj-watson -p deps.edn