From d4f5e9b66d01d842ea26b0677b438d90fbe8be4b Mon Sep 17 00:00:00 2001
From: Mike Friesen <mfriesen@gmail.com>
Date: Tue, 10 Mar 2026 20:47:57 -0500
Subject: [PATCH] Added OWASP Dependency Check conventions and updated to
 latest dependencies

---
 README.md                                     |  1 +
 build.gradle                                  | 21 ++++++----
 .../com/formkiq/gradle/JavaBasePlugin.java    | 42 +++++++++++++++++++
 3 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 940ad25..ea002e8 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ Features:
 - SpotBugs (HTML reports, shared exclude filter)
 - Checkstyle (10.12.4, project-relative config)
 - Gradle Versions plugin
+- OWASP Dependency Check conventions
 - GraalVM Native plugin (FormKiQ)
 - Repositories: `mavenLocal`, `mavenCentral`, Sonatype snapshots (optional)
 
diff --git a/build.gradle b/build.gradle
index 718f39e..cdd0792 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,11 +1,13 @@
 plugins {
   id 'java-gradle-plugin'
-  id "com.gradle.plugin-publish" version "2.0.0"
-  id 'com.diffplug.spotless' version '7.2.1'
+  id "com.gradle.plugin-publish" version "2.1.0"
+  id 'com.diffplug.spotless' version '8.3.0'
+  id 'org.owasp.dependencycheck' version '12.2.0'
+  id "com.github.ben-manes.versions" version "0.53.0"
 }
 
 group   'com.formkiq.gradle'
-version '1.0.8'
+version '1.0.9'
 
 allprojects {
   apply plugin: 'com.diffplug.spotless'
@@ -17,14 +19,15 @@ repositories {
 }
 
 dependencies {
-  implementation 'com.github.spotbugs:com.github.spotbugs.gradle.plugin:6.4.1'
-  implementation 'com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:7.2.1'
-  implementation 'com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.52.0'
-  implementation 'com.formkiq.gradle.graalvm-native-plugin:com.formkiq.gradle.graalvm-native-plugin.gradle.plugin:1.7.6'
+  implementation 'com.github.spotbugs:com.github.spotbugs.gradle.plugin:6.4.8'
+  implementation 'com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.3.0'
+  implementation 'com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.53.0'
+  implementation 'com.formkiq.gradle.graalvm-native-plugin:com.formkiq.gradle.graalvm-native-plugin.gradle.plugin:1.7.7'
+  implementation 'org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.2.0'
 
   // can use for local graalvm.native-plugin use
-  // implementation "com.formkiq.gradle:graalvm-native-plugin:1.7.6"
-  testImplementation platform("org.spockframework:spock-bom:2.3-groovy-4.0")
+  // implementation "com.formkiq.gradle:graalvm-native-plugin:1.7.7"
+  testImplementation platform("org.spockframework:spock-bom:2.4-groovy-5.0")
   testImplementation 'org.spockframework:spock-core'
 }
 
diff --git a/src/main/java/com/formkiq/gradle/JavaBasePlugin.java b/src/main/java/com/formkiq/gradle/JavaBasePlugin.java
index d8a4d2b..779e958 100644
--- a/src/main/java/com/formkiq/gradle/JavaBasePlugin.java
+++ b/src/main/java/com/formkiq/gradle/JavaBasePlugin.java
@@ -10,9 +10,14 @@
 import org.gradle.api.tasks.compile.JavaCompile;
 import org.gradle.api.tasks.testing.Test;
 import org.gradle.jvm.toolchain.JavaLanguageVersion;
+import org.owasp.dependencycheck.gradle.extension.AnalyzerExtension;
+import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension;
 
+import java.util.Arrays;
+import java.util.List;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * {@link Plugin} for FormKiQ Gradle Conventions.
@@ -36,6 +41,7 @@ public void apply(Project root) {
       p.getPluginManager().apply("checkstyle");
       p.getPluginManager().apply("com.github.spotbugs");
       p.getPluginManager().apply("com.github.ben-manes.versions");
+      p.getPluginManager().apply("org.owasp.dependencycheck");
       p.getPluginManager().apply("com.formkiq.gradle.graalvm-native-plugin");
       p.getPluginManager().apply("distribution");
 
@@ -105,6 +111,42 @@ public void apply(Project root) {
         cs.setMaxErrors(0);
       });
 
+      // OWASP Dependency Check
+      p.getExtensions().configure(DependencyCheckExtension.class, dc -> {
+        dc.setFormats(Arrays.asList("HTML", "JSON", "SARIF"));
+        dc.setFailBuildOnCVSS(7.0f);
+        dc.setScanConfigurations(Arrays.asList("runtimeClasspath"));
+        dc.setSkipTestGroups(true);
+        Object skipProjects = p.findProperty("dependencyCheckSkipProjects");
+        if (skipProjects != null) {
+          List<String> projectPaths = Arrays.stream(skipProjects.toString().split(","))
+              .map(String::trim)
+              .filter(s -> !s.isEmpty())
+              .collect(Collectors.toList());
+          dc.setSkipProjects(projectPaths);
+        }
+        dc.analyzers((AnalyzerExtension analyzers) -> {
+          analyzers.getNodeAudit().setEnabled(false);
+          analyzers.setOssIndexEnabled(true);
+          analyzers.ossIndex(ossIndex -> {
+            Object ossIndexUsername = p.findProperty("ossIndexUsername");
+            if (ossIndexUsername != null) {
+              ossIndex.setUsername(ossIndexUsername.toString());
+            }
+
+            Object ossIndexPassword = p.findProperty("ossIndexPassword");
+            if (ossIndexPassword != null) {
+              ossIndex.setPassword(ossIndexPassword.toString());
+            }
+          });
+        });
+
+        Object nvdKey = p.findProperty("nvdKey");
+        if (nvdKey != null) {
+          dc.nvd(nvd -> nvd.setApiKey(nvdKey.toString()));
+        }
+      });
+
       // Compiler flags
       p.getTasks().withType(JavaCompile.class)
           .configureEach(jc -> jc.getOptions().getCompilerArgs().add("-Xlint:deprecation"));