From d83e82b6ee81ffe4f894261ef320dc03a15fe82d Mon Sep 17 00:00:00 2001
From: Benoit Marty <benoit@matrix.org>
Date: Fri, 6 Jan 2023 17:00:05 +0100
Subject: [PATCH] Set up dependency check plugin

---
 .github/workflows/quality.yml | 19 +++++++++++++++++++
 build.gradle.kts              |  5 +++++
 gradle/libs.versions.toml     |  2 ++
 3 files changed, 26 insertions(+)

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index 2741638914..912e846642 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -44,3 +44,22 @@ jobs:
           DANGER_GITHUB_API_TOKEN: ${{ secrets.DANGER_GITHUB_API_TOKEN }}
           # Fallback for forks
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Gradle dependency analysis using https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin
+  dependency-analysis:
+    name: Dependency analysis
+    runs-on: ubuntu-latest
+    # Allow all jobs on main and develop. Just one per PR.
+    concurrency:
+      group: ${{ github.ref == 'refs/heads/main' && format('dep-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('dep-develop-{0}', github.sha) || format('dep-{0}', github.ref) }}
+      cancel-in-progress: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Dependency analysis
+        run: ./gradlew dependencyCheckAnalyze $CI_GRADLE_ARG_PROPERTIES
+      - name: Upload dependency analysis
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: dependency-analysis
+          path: build/reports/dependency-check-report.html
diff --git a/build.gradle.kts b/build.gradle.kts
index 2e4d8589ed..fa9822913a 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -25,6 +25,7 @@ plugins {
     alias(libs.plugins.anvil) apply false
     alias(libs.plugins.kotlin.jvm) apply false
     alias(libs.plugins.kapt) apply false
+    alias(libs.plugins.dependencycheck) apply false
     alias(libs.plugins.detekt)
     alias(libs.plugins.ktlint)
     alias(libs.plugins.dependencygraph)
@@ -102,4 +103,8 @@ allprojects {
             )
         )
     }
+    // Dependency check
+    apply {
+        plugin("org.owasp.dependencycheck")
+    }
 }
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 5860bbebd2..48a62cf20b 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -50,6 +50,7 @@ showkase = "1.0.0-beta14"
 compose_destinations = "1.7.23-beta"
 jsoup = "1.15.3"
 seismic = "1.0.3"
+dependencycheck = "7.4.2"
 
 # DI
 dagger = "2.43"
@@ -150,3 +151,4 @@ anvil = { id = "com.squareup.anvil", version.ref = "anvil" }
 detekt = { id = "io.gitlab.arturbosch.detekt", version.ref = "detekt" }
 ktlint = { id = "org.jlleitschuh.gradle.ktlint", version.ref = "ktlint" }
 dependencygraph = { id = "com.savvasdalkitsis.module-dependency-graph", version.ref = "dependencygraph" }
+dependencycheck = { id = "org.owasp.dependencycheck", version.ref = "dependencycheck" }