From 1b7ebd4841787f9e046ea56595862eeaace88f6b Mon Sep 17 00:00:00 2001
From: bpaunescu <bogdan.paunescu@r3.com>
Date: Fri, 20 Oct 2017 17:58:15 +0100
Subject: [PATCH] CORDA-351: added dependency check plugin to gradle build
 script (#1911)

* CORDA-351: added dependency check plugin to gradle build script

* CORDA-351: Added suppression stub file with example

* CORDA-351: added suppresionFile property
---
 .ci/dependency-checker/suppressedLibraries.xml | 14 ++++++++++++++
 build.gradle                                   |  8 ++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 .ci/dependency-checker/suppressedLibraries.xml

diff --git a/.ci/dependency-checker/suppressedLibraries.xml b/.ci/dependency-checker/suppressedLibraries.xml
new file mode 100644
index 0000000000..1150abff87
--- /dev/null
+++ b/.ci/dependency-checker/suppressedLibraries.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+    <!--  Example of a suppressed library -->
+    <!-- The suppress node can be generated from the HTML report by using the 'suppress' option for each vulnerability found
+    <suppress>
+      <notes><![CDATA[
+      file name: some.jar
+      ]]></notes>
+      <sha1>66734244CE86857018B023A8C56AE0635C56B6A1</sha1>
+      <cpe>cpe:/a:apache:struts:2.0.0</cpe>
+   </suppress>
+    -->
+
+</suppressions>
diff --git a/build.gradle b/build.gradle
index 295f38750f..0541f3fadf 100644
--- a/build.gradle
+++ b/build.gradle
@@ -45,6 +45,7 @@ buildscript {
     ext.rxjava_version = '1.2.4'
     ext.dokka_version = '0.9.14'
     ext.eddsa_version = '0.2.0'
+    ext.dependency_checker_version = '3.0.1'
 
     // Update 121 is required for ObjectInputFilter and at time of writing 131 was latest:
     ext.java8_minUpdateVersion = '131'
@@ -67,6 +68,7 @@ buildscript {
         classpath "org.jetbrains.dokka:dokka-gradle-plugin:${dokka_version}"
         classpath "org.ajoberstar:grgit:1.1.0"
         classpath "net.i2p.crypto:eddsa:$eddsa_version" // Needed for ServiceIdentityGenerator in the build environment.
+        classpath "org.owasp:dependency-check-gradle:${dependency_checker_version}"
     }
 }
 
@@ -101,7 +103,13 @@ allprojects {
     apply plugin: 'kotlin'
     apply plugin: 'java'
     apply plugin: 'jacoco'
+    apply plugin: 'org.owasp.dependencycheck'
 
+    dependencyCheck {
+        suppressionFile = '.ci/dependency-checker/suppressedLibraries.xml'
+        cveValidForHours = 1
+        format = 'ALL'
+    }
     sourceCompatibility = 1.8
     targetCompatibility = 1.8