🛡 Find a better alternative to dependabot !

[sbernard31]

Currently we are using dependabot to check if we depends of libraries affected by known vulnerabilities.

But there is some limitation, like not being able to check vulnerabilities on different branches.
(See https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3949 for more details )

So this issue aims to centralize research of using better open source alternative.

Without talking about tooling itself there is 3 approach :

1. The obvious way ? Checking dependencies only.
2. The more secure way ? Checking whole build file systems. (See : Add trivy for scanning vulnerabilities during PR #1546 (comment))
3. The more clean way ? Generate standard SBOM (SPDX and CycloneDX) then checking vulnerabilities from it and maybe later checking it with dash-licences. (See : Support for using an SBOM as input eclipse-dash/dash-licenses#191 (comment))

Result :

Alternative	Approach	Advantage	Drawback	PR
owasp - dependency-check-maven	Dependencies Check	✅ Maven integration	❌ Maven integration not so good with frontend-maven-plugin see jeremylong/DependencyCheck#6325	#1567
trivy	FileSystem Check	✅ Easy Jenkins or Github integration	❌ No maven Integration ❌ Only check compile scope dependency for pom.xml aquasecurity/trivy#5874	#1546 #1569
cyclonedx-maven-plugin + trivy	SBOM	✅ Easy Jenkins integration ✅ Full controll of SBOM content ✅ Maven tooling for SBOM generation ✅ Proper separating of concerns ✅ Prepare future about using eclipse-dash/dash-licenses#191 (comment)	❌ No maven Integration for vulnerability check ❌ No yarn tooling for SBOM generation yarnpkg/berry#6063	#1570

[sbernard31]

It seems that SBOM solution is better, so I integrated it in master and 1.x, jenkins build is available at : https://ci.eclipse.org/leshan/job/leshan-weekly/