Changing Gradle cve scanning to work with dependency check

[josspo]

Changing Gradle CVE Scanning action to work with dependency check and changing cron job to work manually

[maoo]

Hi @josspo , thanks for this PR!

When raising a PR, make sure that actions are not failing; as you can see above, the Action that you updated was executed and failed. If you click on the Details link, you'll easily find the cause - https://github.com/finos/security-scanning/actions/runs/5476487936/jobs/9974107616?pr=279#step:5:45

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '5.0': 

gradle-0.0.1.jar: CVE-2019-16370(5.9), CVE-2021-32751(7.5), CVE-2021-29429(5.5), CVE-2021-29428(7.8), CVE-2020-11979(7.5), CVE-2019-15052(9.8), CVE-2022-30586(7.2)
jquery-ui.min.js: CVE-2022-31160(6.1)
jszip.js: CVE-2022-[48](https://github.com/finos/security-scanning/actions/runs/5476487936/jobs/9974107616?pr=279#step:5:49)285(7.3)
jszip.min.js: CVE-2022-48285(7.3)

In fact, as you can see from the yaml file you updated, there is no place where you specify the suppress list of CVEs, which for gradle is defined in https://github.com/finos/security-scanning/blob/main/allow-list.xml

I'd suggest to add the --suppression ../allow-list.xml arg, see docs on https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

If this approach works, it could well be that it works for all other languages and systems documented in security-scanning! We'd still need to test it one by one though.

Thanks!

[maoo]

The Gradle check passes, well done @josspo and @TheJuanAndOnly99 !

I see that you removed the on: content, I think that was a mistake right? Could you please restore it?

on:
  schedule:
    - cron: '0 8,18 * * 1-5'
  push:
    paths:
      - 'gradle/build.gradle'
      - 'allow-list.xml'
      - '.github/workflows/cve-scanning-gradle.yml'

Note that - 'allow-list.xml' should be replaced with - 'gradle/allow-list.xml'