add gradle task, utilize dependency-check-core functions to check dependency vulnerabilities

Former-commit-id: bef42df0ed3869fbceb4fe3ec459228031554439

dependency-check-gradle/build.gradle

@@ -3,12 +3,16 @@ apply plugin: 'groovy'
 apply plugin: 'maven'
 
 repositories {
-     mavenCentral()
+    mavenCentral()
 }
 
 dependencies {
-    compile localGroovy()
-    compile gradleApi()
+    compile(
+            localGroovy(),
+            gradleApi(),
+            'org.owasp:dependency-check-core:1.2.10',
+            'org.owasp:dependency-check-utils:1.2.10'
+    )
 }
 
 group = 'com.tools.security'
@@ -17,7 +21,7 @@ version = '0.0.1'
 uploadArchives {
     repositories {
         mavenDeployer {
-            repository(url: uri('../repo'))
+            repository(url: uri('../../../repo'))
         }
     }
 }

dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy

@@ -1,5 +1,6 @@
-package com.tools.security.plugin;
+package com.tools.security.plugin
 
+import com.tools.security.tasks.DependencyCheckTask;
 import org.gradle.api.Plugin
 import org.gradle.api.Project
 import org.slf4j.Logger
@@ -11,6 +12,6 @@ class DependencyCheckGradlePlugin implements Plugin<Project> {
 
     @Override
     void apply(Project project) {
-
+        project.tasks.create("dependencyCheck", DependencyCheckTask)
     }
 }

dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy

@@ -0,0 +1,58 @@
+package com.tools.security.tasks
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.artifacts.Configuration
+import org.gradle.api.artifacts.ResolvedArtifact
+import org.gradle.api.tasks.TaskAction
+import org.owasp.dependencycheck.Engine
+import org.owasp.dependencycheck.data.nvdcve.CveDB
+import org.owasp.dependencycheck.dependency.Dependency
+import org.owasp.dependencycheck.reporting.ReportGenerator
+import org.owasp.dependencycheck.utils.Settings
+
+class DependencyCheckTask extends DefaultTask {
+
+    @TaskAction
+    def check() {
+        Settings.initialize()
+        def engine = new Engine()
+
+        verifyDependencies(engine)
+        analyzeDependencies(engine)
+        retrieveVulnerabilities(engine)
+        generateReport(engine)
+    }
+
+    def verifyDependencies(engine) {
+        logger.lifecycle("Verifying dependencies")
+        getAllDependencies(project).each { engine.scan(it) }
+    }
+
+    def analyzeDependencies(Engine engine) {
+        logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
+        engine.analyzeDependencies()
+    }
+
+    def retrieveVulnerabilities(Engine engine) {
+        def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
+            dependency.getVulnerabilities()
+        }.flatten()
+
+        logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities")
+    }
+
+    def generateReport(Engine engine) {
+        logger.lifecycle("Generating report")
+        def reportGenerator = new ReportGenerator(project.getName(), engine.dependencies, engine.analyzers,
+                new CveDB().databaseProperties)
+        reportGenerator.generateReports("./reports", ReportGenerator.Format.ALL)
+    }
+
+    def getAllDependencies(project) {
+        return project.getConfigurations().collect { Configuration configuration ->
+            configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
+                artifact.getFile()
+            }
+        }.flatten();
+    }
+}

dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check-gradle.properties

@@ -0,0 +1 @@
+implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin

dependency-check-gradle/src/resources/META-INFO/gradle-plugins/DependencyCheckGradlePlugin.properties

@@ -1 +0,0 @@
-implementation-class=com.tools.security.gradle.DependencyCheckGradlePlugin