Add owasp dependency check to the pipeline

[sigee]

Implemeted the following feature request: #85

[szpak]

Thanks @sigee. It is a good base to build.

However, the scan itself does not immediately bring much value. Yes, we know, there are some potential vulnerabilities (14) and maybe some of them could be even exploitable in our case. We would need to go though them and detect false positives (and things are cannot easily change - e.g. groovy version which is taken from Gradle).
In addition, having the state where 0 active vulnerabilities are found, we should probably fail the build, if there is any new detected (especially in the PRs). What's more, the check itself takes >3m. We could reduce it to just one selected pipeline version.

That's said, currently I don't have a good vision, which of the following should be made and in what form. Therefore, I propose, I will think it over and we will discuss it to reach the merge'able state of that PR.

[Vampire]

I'm not sure using that plugin is the best idea.
If so, you should at least get an NVD API key.
Without the NVD API key, the download is awefully slow, with it, it is better.
But then this should of course not be done on PRs that would not get the API key.
Maybe the GHA cache could be used to preserve the downloaded CVE data to spare the download time, especially for PR builds.

Also just because last master check was without finding and next PR run is with finding does not mean that the PR introduced any new vulnerabililty.
It can simply be that in the meantime a new vulnerabililty was found.
So failing a PR build just because a CVE was found is maybe not the best idea, because it could be totally unrelated to the actual changes in the PR and a contributor should not be forced to first update some dependencies to get their PR build green.

Also an alternative to consider is to use the Gradle gradle/actions/dependency-submission action that submits the dependencies to GitHub, which then populates the Dependency Graph insights view, and also enabled Dependabot Alerts for vulnerabilities.