Document and upgrade Gradle plugins

2 files changed, 35 insertions, 27 deletions

diff --git a/README.md b/README.md
index 1ef2f1f7c1c..b874365af63 100644
--- a/README.md
+++ b/README.md
@@ -61,26 +61,17 @@ If the project has never been built, then build it as usual (see previous sectio
 
     ./gradlew ide
     
-Then simply open the root file `build.gradle` as a project in Intellij or Eclipse.
+Then open the root file `build.gradle` as a project in Intellij or Eclipse.
 
-### Find available updates of dependencies
+### Gradle Hints
 
-Execute from project base directory:
-
-    ./gradlew dependencyUpdates
-
-### Update the files missing the license header
-
-Execute from project base directory:
-
-    ./gradlew licenseFormat --rerun-tasks
-    
-### List all dependencies
-
-Execute from project base directory:
-
-    ./gradlew printDependencies
-    
+| ./gradlew command | Description |
+|---|---|
+| `dependencies`| list dependencies |
+| `dependencyCheckAnalyze` | list vulnerable dependencies |
+| `dependencyUpdates` | list the dependencies that could be updated |
+| `licenseFormat --rerun-tasks` | fix source headers by applying HEADER.txt |
+| `wrapper --gradle-version 5.2.1` | upgrade wrapper |
 
 License
 -------
diff --git a/build.gradle b/build.gradle
index 8a6e42d37ae..4be44556c85 100644
--- a/build.gradle
+++ b/build.gradle
@@ -6,15 +6,16 @@ buildscript {
   }
   dependencies {
     // Ordered alphabeticly to avoid duplication
-    classpath 'com.github.ben-manes:gradle-versions-plugin:0.17.0'
+    classpath 'com.github.ben-manes:gradle-versions-plugin:0.21.0'
     classpath 'com.github.jengelman.gradle.plugins:shadow:2.0.4'
     classpath 'com.google.protobuf:protobuf-gradle-plugin:0.8.6'
     classpath 'com.moowork.gradle:gradle-node-plugin:1.2.0'
-    classpath "gradle.plugin.nl.javadude.gradle.plugins:license-gradle-plugin:0.14.0"
+    classpath 'gradle.plugin.nl.javadude.gradle.plugins:license-gradle-plugin:0.14.0'
     classpath 'io.spring.gradle:dependency-management-plugin:1.0.4.RELEASE'
     classpath 'net.rdrei.android.buildtimetracker:gradle-plugin:0.11.0'
     classpath 'org.jfrog.buildinfo:build-info-extractor-gradle:4.7.5'
-    classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.6.2'
+    classpath "org.owasp:dependency-check-gradle:4.0.2"
+    classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7'
   }
 }
 
@@ -43,7 +44,6 @@ sonarqube {
 }
 
 allprojects {
-  apply plugin: 'com.github.ben-manes.versions'
   apply plugin: 'com.jfrog.artifactory'
   apply plugin: 'maven-publish'
 
@@ -75,18 +75,15 @@ allprojects {
       }
     }
   }
-
-  task printDependencies {
-    dependsOn 'dependencies'
-  }
 }
 
 subprojects {
-  apply plugin: "com.github.hierynomus.license"
+  apply plugin: 'com.github.hierynomus.license'
   apply plugin: 'io.spring.dependency-management'
   apply plugin: 'java'
   apply plugin: 'jacoco'
   apply plugin: 'idea'
+  apply plugin: 'org.owasp.dependencycheck'
 
   // do not deploy to Artifactory by default
   artifactoryPublish.skip = true
@@ -421,3 +418,23 @@ artifactory {
   // The name of this variable is important because it's used by the delivery process when extracting version from Artifactory build info.
   clientConfig.info.addEnvironmentProperty('PROJECT_VERSION', "${version}")
 }
+
+// https://github.com/ben-manes/gradle-versions-plugin
+apply plugin: 'com.github.ben-manes.versions'
+// Exclude dev versions from the list of dependency upgrades, for
+// example to replace:
+//   org.slf4j:log4j-over-slf4j [1.7.25 -> 1.8.0-beta4]
+// by
+//   org.slf4j:log4j-over-slf4j [1.7.25 -> 1.7.26]
+dependencyUpdates.resolutionStrategy {
+  componentSelection { rules ->
+    rules.all { ComponentSelection selection ->
+      boolean rejected = ['alpha', 'beta', 'rc', 'cr', 'm', 'preview'].any { qualifier ->
+        selection.candidate.version ==~ /(?i).*[.-]${qualifier}[.\d-]*/
+      }
+      if (rejected) {
+        selection.reject('Development version')
+      }
+    }
+  }
+}