Add org.owasp.dependencycheck

[Pankraz76]

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?
• If submitting code, have you built your formula locally prior to submission with gradle check?
• If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed.
• If submitting code, have you checked that your submission is for an OS and architecture that we support?
• If you are submitting this code for a class then read our policy for that.

should fail the build, if there are too many open CVE´s.

https://medium.com/appsecpractices/setting-up-owasp-dependency-check-in-gradle-project-2fc57841631b

[Pankraz76]

is this any good?

[Pankraz76]

> Task :dependencyCheckAnalyze
Verifying dependencies for project elasticsearch
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key

> Task :dependencyCheckAnalyze FAILED

57 problems were found storing the configuration cache, 3 of which seem unique.
- Plugin class 'org.gradle.api.plugins.JavaBasePlugin': execution of task ':dependencyCheckAnalyze' caused invocation of 'Task.project' in other task at execution time which is unsupported.
  See https://docs.gradle.org/8.14.2/userguide/configuration_cache.html#config_cache:requirements:use_project_during_execution
- Task `:dependencyCheckAnalyze` of type `org.owasp.dependencycheck.gradle.tasks.Analyze`: cannot serialize object of type 'org.gradle.api.internal.project.DefaultProject', a subtype of 'org.gradle.api.Project', as these are not supported with the configuration cache.
  See https://docs.gradle.org/8.14.2/userguide/configuration_cache.html#config_cache:requirements:disallowed_types
- Task `:dependencyCheckAnalyze` of type `org.owasp.dependencycheck.gradle.tasks.Analyze`: invocation of 'Task.project' at execution time is unsupported.
  See https://docs.gradle.org/8.14.2/userguide/configuration_cache.html#config_cache:requirements:use_project_during_execution

See the complete report at file:///Users/vincent.potucek/IdeaProjects/elasticsearch/build/reports/configuration-cache/aawfmds2nb2u6mfu8wczvj4n/e5y9bj23tr9awk2ow820mgufs/configuration-cache-report.html

Execution failed for task ':dependencyCheckAnalyze'.
> 'boolean com.fasterxml.jackson.databind.util.NativeImageUtil.isInNativeImage()'

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
BUILD FAILED in 25m 49s
20 actionable tasks: 1 executed, 19 up-to-date
Configuration cache entry discarded with 57 problems.

[breskeby]

Again, please don't open PRs just introducing new tooling. We have a CVE review process in place and do use the snyk platform for this.

Furthermore pasting stacktraces without any comments is not the clear upfront communication I've asked for yesterday.

It seems the plug-in does not support Gradle configuration cache which we rely on more and more in our growing build.

[Pankraz76]

It seem the process is coming short somehow, as there are CVE´s in production.

[Pankraz76]

here its working and on spring, so it might be any good. Just to let you know.

• Add and update org.owasp.dependencycheck to prevent any CVE apache/kafka#20364