Gradle Plugin adds lots of dependencies to buildscript classpath

[chadlwilson]

Migrated from dependency-check/DependencyCheck#3213 by @JJLeitschuh

---

Describe the bug

The Gradle Plugin Author documentation states the following:

It’s important to understand that a Gradle plugin does not run in its own, isolated classloader. In turn those dependencies might conflict with other versions of the same library being resolved from other plugins and might lead to unexpected runtime behavior. When writing Gradle plugins consider if you really need a specific library or if you could just implement a simple method yourself. A future version of Gradle will introduce proper classpath isolation for plugins.
- https://docs.gradle.org/current/userguide/designing_gradle_plugins.html#minimizing_the_use_of_external_libraries

The DependencyCheck plugin pulls in quite a large dependency graph onto the build script classpath when applied.

\--- org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:6.1.2
     \--- org.owasp:dependency-check-gradle:6.1.2
          +--- org.owasp:dependency-check-core:6.1.2
          |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.6
          |    +--- org.whitesource:pecoff4j:0.0.2.1
          |    +--- org.apache.commons:commons-jcs-core:2.2.1
          |    |    \--- commons-logging:commons-logging:1.2
          |    +--- com.github.package-url:packageurl-java:1.2.0
          |    +--- us.springett:cpe-parser:2.0.2
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- com.vdurmont:semver4j:3.1.0
          |    +--- org.slf4j:slf4j-api:1.7.30
          |    +--- org.owasp:dependency-check-utils:6.1.2
          |    |    +--- commons-io:commons-io:2.8.0
          |    |    +--- org.apache.commons:commons-lang3:3.12.0
          |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.2
          |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.12.2 (c)
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-core:2.12.2 (c)
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (c)
          |    |    |    |         \--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.2 (c)
          |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.2
          |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2 (*)
          |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2 (*)
          |    |    +--- commons-codec:commons-codec:1.15
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- commons-collections:commons-collections:3.2.2
          |    +--- org.apache.commons:commons-compress:1.20
          |    +--- commons-io:commons-io:2.8.0
          |    +--- org.apache.commons:commons-lang3:3.12.0
          |    +--- org.apache.commons:commons-text:1.9
          |    |    \--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
          |    +--- org.apache.lucene:lucene-core:8.8.1
          |    +--- org.apache.lucene:lucene-analyzers-common:8.8.1
          |    |    \--- org.apache.lucene:lucene-core:8.8.1
          |    +--- org.apache.lucene:lucene-queryparser:8.8.1
          |    |    +--- org.apache.lucene:lucene-core:8.8.1
          |    |    +--- org.apache.lucene:lucene-queries:8.8.1
          |    |    \--- org.apache.lucene:lucene-sandbox:8.8.1
          |    +--- org.apache.velocity:velocity-engine-core:2.2
          |    |    +--- org.apache.commons:commons-lang3:3.9 -> 3.12.0
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- com.h2database:h2:1.4.199
          |    +--- org.glassfish:javax.json:1.1.4
          |    +--- org.jsoup:jsoup:1.13.1
          |    +--- com.sun.mail:mailapi:1.6.5
          |    |    \--- com.sun.activation:jakarta.activation:1.2.1
          |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
          |    +--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.2
          |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.2 (*)
          |    |    \--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
          |    +--- com.h3xstream.retirejs:retirejs-core:3.0.2
          |    |    +--- org.json:json:20190722
          |    |    +--- com.esotericsoftware:minlog:1.3.1
          |    |    \--- com.github.spullara.mustache.java:compiler:0.9.6
          |    +--- org.sonatype.ossindex:ossindex-service-client:1.7.0
          |    |    +--- org.sonatype.ossindex:ossindex-service-api:1.7.0
          |    |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.9.10 -> 2.12.2 (*)
          |    |    |    +--- com.google.guava:guava:29.0-android
          |    |    |    |    +--- com.google.guava:failureaccess:1.0.1
          |    |    |    |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
          |    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
          |    |    |    |    +--- org.checkerframework:checker-compat-qual:2.5.5
          |    |    |    |    +--- com.google.errorprone:error_prone_annotations:2.3.4
          |    |    |    |    \--- com.google.j2objc:j2objc-annotations:1.3
          |    |    |    +--- javax.ws.rs:javax.ws.rs-api:2.0.1
          |    |    |    \--- org.sonatype.goodies:package-url-java:1.1.1
          |    |    +--- javax.inject:javax.inject:1
          |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    +--- org.slf4j:jcl-over-slf4j:1.7.28
          |    |    |    \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    +--- com.google.guava:guava:29.0-android (*)
          |    |    +--- joda-time:joda-time:2.10.4
          |    |    \--- com.google.code.gson:gson:2.8.5
          |    +--- com.google.guava:guava:[24.1.1,) -> 29.0-android (*)
          |    +--- com.moandjiezana.toml:toml4j:0.7.2
          |    |    \--- com.google.code.gson:gson:2.8.1 -> 2.8.5
          |    +--- com.hankcs:aho-corasick-double-array-trie:1.2.2
          |    +--- commons-validator:commons-validator:1.7
          |    |    +--- commons-beanutils:commons-beanutils:1.9.4
          |    |    |    +--- commons-logging:commons-logging:1.2
          |    |    |    \--- commons-collections:commons-collections:3.2.2
          |    |    +--- commons-digester:commons-digester:2.1
          |    |    +--- commons-logging:commons-logging:1.2
          |    |    \--- commons-collections:commons-collections:3.2.2
          |    \--- commons-beanutils:commons-beanutils:1.9.4 (*)
          +--- org.owasp:dependency-check-utils:6.1.2 (*)
          \--- net.gpedro.integrations.slack:slack-webhook:1.4.0
               \--- com.google.code.gson:gson:2.3.1 -> 2.8.5

Best practice is to move the logic of this plugin into a Gradle worker with an isolated/independent classpath. That way the dependencies for the core logic that this plugin provides is wholy isolated from other plugins applied to the build.

https://docs.gradle.org/current/userguide/worker_api.html

Using the worker API, the org.owasp:dependency-check-core dependency can be resolve on an isolated Gradle configuration. Thus, org.owasp:dependency-check-core and it's dependents will exist on an independent classpath that won't cause conflicts with other plugins.

Version of dependency-check used

6.1.2

To Reproduce
Steps to reproduce the behavior:

1. Apply the plugin
2. Run ./gradlew buildEnvironment