build: Add Dependency Check Gradle plugin

[usmansaleem]

PR description

Add Dependency Check Gradle plugin. See https://dependency-check.github.io/DependencyCheck/dependency-check-gradle/index.html for configuration details.

This PR supersedes #9155

Run dependency checks on all modules:

./gradlew dependencyCheckAggregate

The reports should be available in build/dependency-check directory of each module.

NVD API Key Highly Recommended

This task uses NVD API. It is highly encouraged to obtain an NVD API Key; see https://nvd.nist.gov/developers/request-an-api-key Without an NVD API Key dependency-check's updates will be extremely slow. Export NVD_API_KEY environment variable with appropriate key before running this task.

---

• TODO via separate PR: Integrate in Github workflow, possibly as a nightly job and as a pre-req of release job. Upload SARIF file via https://github.com/github/codeql-action/tree/v4/upload-sarif so that the changes are visible in Security tab.

• TODO via separate PR: Fix reported vulnerabilities - if any.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[jframe]

What's the sarif format needed for?

[usmansaleem]

SARIF format can be uploaded via GitHub action so that it appears in the "Security" tab.

[fab-10]

which dependency is pulling in 7.3.2?

[usmansaleem]

@fab-10 After introducing owasp dependency check plugin, it attempts to perform configuration analysis to determine all the jars which will be used by a module, this somehow results in web3j plugin to request a non-existent web3j core libraries version, such as 7.3.2. This is probably a bug in web3j plugin or in owasp plugin, however,the debug logs simply shows that shanghai module is requesting web3j core 7.3.2 and it doesn't exist in maven, hence the build errors out. Overriding like above solves the issue.

[fab-10]

not sure if it safe to suppress a check only because that code run only during the build time, it should depends on the specific vulnerability, because for example it could be that a vulnerability changes some source file and thus leak into runtime

[usmansaleem]

Fair point, We can try to override the fixed version of this library. I believe this library is resolved by the errorprone plugin during the build time.

[fab-10]

is this Web3J update required to be part of this PR?

[usmansaleem]

No it doesn't. I am going to revert it to previous version.

[fab-10]

Before going on we should understand why adding the dependency check plugin should not interfere with web3j resolution

[macfarla]

Before going on we should understand why adding the dependency check plugin should not interfere with web3j resolution

I asked in web3j discord, they had no clues https://discord.com/channels/905194001349627914/1195062053682032700/1435244486358990919

[usmansaleem]

Converted to draft. Will try to isolate the problem in a very simple project involving owasp plugin, web3j plugin and verification metadata enabled. @macfarla @fab-10