Thanks for coming back so quickly.
The plugin is OWASP dependency check. https://github.com/jeremylong/dependency-check-gradle.
The reason I’m adding my own jar is to make a suppressions.xml file available. It means I can publish the xml file from one repo and make it available to all other repos.
The suppressions.xml file can be discovered from the classpath, but I can’t see how that is possible to add my dependency from the plugin configuration itself.