Build and Publishing improvements

[nightm4re94]

This PR Updates some of the build and publishing configuration:

• Update dependencies
• Update Gradle wrapper to 8.9
• Clean up publishing configuration. (Removed some explicit configuration implicitly added by com.gradle.plugin-publish already)
• Simplify dependency management via version catalog. This centralizes version declarations and cleans up the build script.

[jeremylong]

LGTM

[jeremylong]

Thanks for the PR!

[jeremylong]

FYI - I can't currently publish 10.0.4 due to how publishing is failing. The publishing will need to be updated or reverted.

[nightm4re94]

Sure, I'll gladly have a look - any further info / stacktrace etc. would be appreciated.

[jeremylong]

I normally have been publishing to the plugin portal and central. In attempts to fix things yesterday I did publish to the plugin portal so that may be good enough. However, the error I was getting was:

> Task :signPluginPublicationPublication FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Some problems were found with the configuration of task ':signPluginPublicationPublication' (type 'Sign').
  - Gradle detected a problem with the following location: '/Users/jeremy/Projects/dependency-check-gradle/build/libs/dependency-check-gradle-10.0.4-javadoc.jar.asc'.
    
    Reason: Task ':publishPluginMavenPublicationToMavenRepository' uses this output of task ':signPluginPublicationPublication' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
    
    Possible solutions:
      1. Declare task ':signPluginPublicationPublication' as an input of ':publishPluginMavenPublicationToMavenRepository'.
      2. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#dependsOn.
      3. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#mustRunAfter.
    
    For more information, please refer to https://docs.gradle.org/8.9/userguide/validation_problems.html#implicit_dependency in the Gradle documentation.
  - Gradle detected a problem with the following location: '/Users/jeremy/Projects/dependency-check-gradle/build/libs/dependency-check-gradle-10.0.4-sources.jar.asc'.
    
    Reason: Task ':publishPluginMavenPublicationToMavenRepository' uses this output of task ':signPluginPublicationPublication' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
    
    Possible solutions:
      1. Declare task ':signPluginPublicationPublication' as an input of ':publishPluginMavenPublicationToMavenRepository'.
      2. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#dependsOn.
      3. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#mustRunAfter.
    
    For more information, please refer to https://docs.gradle.org/8.9/userguide/validation_problems.html#implicit_dependency in the Gradle documentation.
  - Gradle detected a problem with the following location: '/Users/jeremy/Projects/dependency-check-gradle/build/libs/dependency-check-gradle-10.0.4.jar.asc'.
    
    Reason: Task ':publishPluginMavenPublicationToMavenRepository' uses this output of task ':signPluginPublicationPublication' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
    
    Possible solutions:
      1. Declare task ':signPluginPublicationPublication' as an input of ':publishPluginMavenPublicationToMavenRepository'.
      2. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#dependsOn.
      3. Declare an explicit dependency on ':signPluginPublicationPublication' from ':publishPluginMavenPublicationToMavenRepository' using Task#mustRunAfter.
    
    For more information, please refer to https://docs.gradle.org/8.9/userguide/validation_problems.html#implicit_dependency in the Gradle documentation.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 14s
19 actionable tasks: 11 executed, 8 up-to-date

Yet simply adding publishPluginMavenPublicationToMavenRepository.dependsOn signPluginPublicationPublication doesn't work ass the error indicates it should.

[jeremylong]

also just realized the way it was publishing to central was wrong. Maybe I'll just get rid of trying to publish to central.

[jeremylong]

hm.. maybe I'm wrong as the gradle plugin is downloaded a ton from central:

[jeremylong]

Testing some more, if I comment out the signing I'm able to get ./gradlew publishAllPublicationsToMavenRepository to work. However, it fails validation in central:

Specifically, it looks like it is publishing twice to central and the bottom plugin has a near empty pom.xml:

The referenced pom.xml contains:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.dependencycheck</groupId>
<artifactId>org.owasp.dependencycheck.gradle.plugin</artifactId>
<version>10.0.4</version>
<packaging>pom</packaging>
<name>OWASP dependency-check-gradle plugin</name>
<description>A software composition analysis plugin that identifies known vulnerable dependencies used by the project.</description>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-gradle</artifactId>
<version>10.0.4</version>
</dependency>
</dependencies>
</project>

[nightm4re94]

Thanks for the detailed insights.

Target Repository

When making these changes, my first instinct was also to just publish to the Gradle plugin portal and drop Maven Central publishing, which I didn't do due to the frequency of downloads from Maven Central. However, I suspect that for most consuming projects, Maven Central is chosen by one of these scenarios:

1. The project is using buildscript classpath dependencies instead of the more recent plugins syntax to apply plugins. As this is the legacy way of doing things, I would also suspect that people just declare one repo for both their normal dependencies, and their plugins.
2. Both the Maven Central Repo and the Gradle plugin portal are declared for plugin dependencies, but Maven Central is declared first so it takes precedence for the plugin as it is available in both repositories.

All in all, I would consider it a valid strategy to just publish to the Gradle Plugin Portal. If you're worried about legacy compatibility for versions that are only on Maven Central, but not the Gradle Plugin Portal: The Gradle Plugin Portal always delegates to JCenter (we'll see for how long :D) and Maven Central for things that aren't on the Plugin Portal. No need to declare multiple repositories here. In the end, only trying this out will yield a definitive answer. Maybe most projects consuming the plugin from Maven Central don't do so by design, but by implicit consequences of their plugin resolution setup, and the developers would have no problem at all if the plugin were published on the Plugin Portal only?!

Signing / Publishing

Sorry the signing is failing, this was unfortunately the part I couldn't verify without being you 😄
I am looking into the issue.
By the way, would you be open to having a GitHub action that uses repo secrets as signing credentials and automates the publishing? This might facilitate testing and iteration and could allow for snapshot builds more easily.