Merge pull request #1 from DependencyTrack/master

Update from dependency-track

.github/ISSUE_TEMPLATE/defect-report.yml

@@ -63,6 +63,7 @@ body:
     - 4.7.x
     - 4.8.0
     - 4.8.1
+    - 4.8.2
     - 4.9.0-SNAPSHOT
   validations:
     required: true

.run/Compose (w_ MSSQL).run.xml

@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="Compose (w/ MSSQL)" type="docker-deploy" factoryName="docker-compose.yml" server-name="Docker">
+    <deployment type="docker-compose.yml">
+      <settings>
+        <option name="envFilePath" value="" />
+        <option name="secondarySourceFiles">
+          <list>
+            <option value="dev/docker-compose.mssql.yml" />
+          </list>
+        </option>
+        <option name="sourceFilePath" value="dev/docker-compose.yml" />
+      </settings>
+    </deployment>
+    <method v="2" />
+  </configuration>
+</component>

.run/Compose (w_ Postgres).run.xml

@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="Compose (w/ Postgres)" type="docker-deploy" factoryName="docker-compose.yml" server-name="Docker">
+    <deployment type="docker-compose.yml">
+      <settings>
+        <option name="envFilePath" value="" />
+        <option name="secondarySourceFiles">
+          <list>
+            <option value="dev/docker-compose.postgres.yml" />
+          </list>
+        </option>
+        <option name="sourceFilePath" value="dev/docker-compose.yml" />
+      </settings>
+    </deployment>
+    <method v="2" />
+  </configuration>
+</component>

DEVELOPING.md

@@ -164,7 +164,7 @@ mirrored the NVD data, so there's no need to re-download it again.
 Prior to starting Dependency-Track, execute the `data-nist-generate-dummy.sh` script:
 
 ```shell
-./scripts/data-nist-generate-dummy.sh
+./dev/scripts/data-nist-generate-dummy.sh
 ```
 
 > **Note** 
@@ -175,7 +175,7 @@ When testing containerized deployments, simply mount the local directory contain
 NVD data into the container:
 
 ```shell
-./scripts/data-nist-generate-dummy.sh
+./dev/scripts/data-nist-generate-dummy.sh
 docker run -d --name dtrack \
   -v "$HOME/.dependency-track:/data/.dependency-track" \
   -p '127.0.0.1:8080:8080' dependencytrack/apiserver:snapshot
@@ -203,6 +203,8 @@ Now visit `http://127.0.0.1:8081` in your browser and use Dependency-Track as us
 
 ## Testing
 
+### Running unit tests
+
 To run all tests:
 
 ```shell
@@ -212,6 +214,52 @@ mvn clean verify -P enhance
 Depending on your machine, this will take roughly 10-30min. Unless you modified central parts of the application,
 starting single tests separately via IDE is a better choice. 
 
+### Testing manually
+
+We provide multiple Docker Compose files that can be used to quickly set up a local testing environment.  
+The files are located in the [`dev`](dev/) directory.
+
+#### With embedded H2 database
+
+The default [`docker-compose.yml`](dev/docker-compose.yml) will deploy a frontend and API server container using an 
+embedded H2 database.
+
+```shell
+cd dev
+docker compose up -d
+```
+
+#### With PostgreSQL database
+
+To use a PostgreSQL database instead of embedded H2, use [`docker-compose.postgres.yml`](dev/docker-compose.postgres.yml).
+
+```shell
+cd dev
+docker compose -f docker-compose.yml -f docker-compose.postgres.yml up -d
+```
+
+#### With Microsoft SQL Server database
+
+To use a Microsoft SQL Server database instead of embedded H2, use [`docker-compose.mssql.yml`](dev/docker-compose.mssql.yml).
+
+```shell
+cd dev
+docker compose -f docker-compose.yml -f docker-compose.mssql.yml up -d
+```
+
+#### With monitoring stack
+
+To deploy both Prometheus and Grafana, [`docker-compose.monitoring.yml`](dev/docker-compose.monitoring.yml) may be supplied to any
+of the commands listed above. For example:
+
+```shell
+cd dev
+docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.monitoring.yml up -d
+```
+
+Prometheus should automatically discover the API server's metrics. To visualize them, follow the instructions
+for setting up the sample Grafana dashboard in the [docs](https://docs.dependencytrack.org/getting-started/monitoring/#grafana-dashboard).
+
 ## DataNucleus Bytecode Enhancement
 
 Occasionally when running tests without Maven from within your IDE, you will run into failures due to exceptions
@@ -269,15 +317,15 @@ There is a lot going on in `docs`, but most of the time you'll want to spend you
 To build the docs, run:
 
 ```shell
-./scripts/docs-build.sh
+./dev/scripts/docs-build.sh
 ```
 
 This installs all required dependencies (among them Jekyll) to `docs/vendor/bundle`, generates the documentation
 website and stores it in `docs/_site`.
 
 For local development, you may want to run this instead: 
 ```shell
-./scripts/docs-dev.sh
+./dev/scripts/docs-dev.sh
 ```
 
 This will start a local webserver that listens on `127.0.0.1:4000` and rebuilds the site whenever you make changes.

dev/docker-compose.monitoring.yml

@@ -0,0 +1,63 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) Steve Springett. All Rights Reserved.
+services:
+  apiserver:
+    environment:
+      ALPINE_METRICS_ENABLED: "true"
+
+  prometheus:
+    image: prom/prometheus:v2.37.8
+    entrypoint: /bin/sh
+    command:
+    - -c
+    - >-
+      echo -e "$$PROMETHEUS_CONFIG_FILE" > /etc/prometheus/prometheus.yml;
+      /bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus
+    environment:
+      PROMETHEUS_CONFIG_FILE: |-
+        scrape_configs:
+        - job_name: dtrack-apiserver
+          scrape_interval: 15s
+          scheme: http
+          dns_sd_configs:
+          - names:
+            - apiserver
+            type: A
+            port: 8080
+    ports:
+    - "127.0.0.1:9090:9090"
+    volumes:
+    - "prometheus-data:/prometheus"
+    restart: unless-stopped
+
+  grafana:
+    image: grafana/grafana-oss:9.5.2
+    depends_on:
+    - prometheus
+    environment:
+      GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
+      GF_AUTH_ANONYMOUS_ENABLED: "true"
+      GF_AUTH_BASIC_ENABLED: "false"
+    ports:
+    - "127.0.0.1:3000:3000"
+    volumes:
+    - "grafana-data:/var/lib/grafana"
+    restart: unless-stopped
+
+volumes:
+  grafana-data: { }
+  prometheus-data: { }

dev/docker-compose.mssql.yml

@@ -0,0 +1,66 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) Steve Springett. All Rights Reserved.
+services:
+  apiserver:
+    depends_on:
+      mssql-init:
+        condition: service_completed_successfully
+    environment:
+      ALPINE_DATABASE_MODE: "external"
+      ALPINE_DATABASE_URL: "jdbc:sqlserver://mssql:1433;databaseName=dtrack;sendStringParametersAsUnicode=false;trustServerCertificate=true"
+      ALPINE_DATABASE_DRIVER: "com.microsoft.sqlserver.jdbc.SQLServerDriver"
+      ALPINE_DATABASE_USERNAME: "sa"
+      ALPINE_DATABASE_PASSWORD: "DTrack1234#"
+
+  mssql:
+    image: mcr.microsoft.com/mssql/server:2022-latest
+    platform: "linux/amd64" # arm64 is not supported
+    environment:
+      ACCEPT_EULA: "Y"
+      MSSQL_SA_PASSWORD: "DTrack1234#"
+    healthcheck:
+      test: /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "$$MSSQL_SA_PASSWORD" -Q "SELECT 1" -b -o /dev/null
+      interval: 15s
+      timeout: 3s
+      retries: 10
+      start_period: 10s
+    ports:
+    - "127.0.0.1:1433:1433"
+    volumes:
+    - "mssql-data:/var/opt/mssql"
+    restart: unless-stopped
+
+  mssql-init:
+    image: mcr.microsoft.com/mssql/server:2022-latest
+    platform: "linux/amd64" # arm64 is not supported
+    depends_on:
+      mssql:
+        condition: service_healthy
+    command:
+    - /opt/mssql-tools/bin/sqlcmd
+    - -S
+    - mssql
+    - -U
+    - sa
+    - -P
+    - DTrack1234#
+    - -Q
+    - CREATE DATABASE dtrack
+    restart: on-failure
+
+volumes:
+  mssql-data: { }

dev/docker-compose.postgres.yml

@@ -0,0 +1,41 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) Steve Springett. All Rights Reserved.
+services:
+  apiserver:
+    depends_on:
+    - postgres
+    environment:
+      ALPINE_DATABASE_MODE: "external"
+      ALPINE_DATABASE_URL: "jdbc:postgresql://postgres:5432/dtrack"
+      ALPINE_DATABASE_DRIVER: "org.postgresql.Driver"
+      ALPINE_DATABASE_USERNAME: "dtrack"
+      ALPINE_DATABASE_PASSWORD: "dtrack"
+
+  postgres:
+    image: postgres:14-alpine
+    environment:
+      POSTGRES_DB: "dtrack"
+      POSTGRES_USER: "dtrack"
+      POSTGRES_PASSWORD: "dtrack"
+    ports:
+    - "127.0.0.1:5432:5432"
+    volumes:
+    - "postgres-data:/var/lib/postgresql/data"
+    restart: unless-stopped
+
+volumes:
+  postgres-data: { }

dev/docker-compose.yml

@@ -0,0 +1,37 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) Steve Springett. All Rights Reserved.
+name: "dependency-track"
+
+services:
+  apiserver:
+    image: dependencytrack/apiserver:snapshot
+    ports:
+    - "127.0.0.1:8080:8080"
+    volumes:
+    - "apiserver-data:/data"
+    restart: unless-stopped
+
+  frontend:
+    image: dependencytrack/frontend:snapshot
+    environment:
+      API_BASE_URL: "http://localhost:8080"
+    ports:
+    - "127.0.0.1:8081:8080"
+    restart: unless-stopped
+
+volumes:
+  apiserver-data: { }

scripts/dbschema-generate.sh → dev/scripts/dbschema-generate.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 DEFAULT_OUTPUT="./schema.sql"
-DEFAULT_DNPROPS="./scripts/dbschema-generate.datanucleus.properties"
+DEFAULT_DNPROPS="./dev/scripts/dbschema-generate.datanucleus.properties"
 
 function printHelp() {
   echo "Generate the database schema for Dependency-Track."
@@ -40,4 +40,4 @@ mvn datanucleus:schema-create \
   -Dprops="${dnprops:-$DEFAULT_DNPROPS}" \
   -DcompleteDdl=true \
   -DddlFile="${output:-$DEFAULT_OUTPUT}" \
-  -Dlog4jConfiguration=./scripts/dbschema-generate.log4j.properties
+  -Dlog4jConfiguration=./dev/scripts/dbschema-generate.log4j.properties

docs/_posts/2023-05-17-v4.8.2.md

@@ -17,17 +17,17 @@ For a complete list of changes, refer to the respective GitHub milestone:
 
 ###### dependency-track-apiserver.jar
 
-| Algorithm | Checksum |
-|:----------|:---------|
-| SHA-1     |          |
-| SHA-256   |          |
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | bfc8758eb30ab90f4280cb37ea959964f74706b9                         |
+| SHA-256   | 2b1d249d98f72b863deb4769665efc119a3ef8db195838decddce9a2a12f36b4 |
 
 ###### dependency-track-bundled.jar
 
-| Algorithm | Checksum |
-|:----------|:---------|
-| SHA-1     |          |
-| SHA-256   |          |
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | 52bd8b0c0646d0759e30f5b1600f5fb17e4ede36                         |
+| SHA-256   | 2f8171cd2a93f060110e0f7f5f1555a17db11de0a3cb0cb5b6068dfe3cd8e5e3 |
 
 ###### Software Bill of Materials (SBOM)