Merge branch 'master' into mel-issue-2737

.dockerignore

@@ -1,9 +1,9 @@
 .github/
 .idea/
-.run/
 docs/
 scripts/
 src/
+!src/main/docker/logback*.xml
 target/
 !target/*.jar
 /*.md

.github/dependabot.yml

@@ -7,7 +7,7 @@ updates:
   - package-ecosystem: docker
     directory: /src/main/docker
     schedule:
-      interval: weekly
+      interval: daily
   - package-ecosystem: github-actions
     directory: /
     schedule:

.github/workflows/_meta-build.yaml

@@ -22,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Set up JDK
-        uses: actions/setup-java@v3.11.0
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -49,7 +49,7 @@ jobs:
           mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
 
       - name: Upload Artifacts
-        uses: actions/[email protected].2
+        uses: actions/[email protected].3
         with:
           name: assembled-wars
           path: |-
@@ -70,7 +70,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Download Artifacts
         uses: actions/[email protected]
@@ -79,16 +79,16 @@ jobs:
           path: target
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.6.0
+        uses: docker/setup-buildx-action@v3.0.0
         id: buildx
         with:
           install: true
 
       - name: Login to Docker.io
-        uses: docker/login-action@v2.2.0
+        uses: docker/login-action@v3.0.0
         if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
@@ -105,7 +105,7 @@ jobs:
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@v4.1.0
+        uses: docker/build-push-action@v5.0.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -119,7 +119,7 @@ jobs:
 
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@0.11.2
+        uses: aquasecurity/trivy-action@0.12.0
         with:
           image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
           format: 'sarif'

.github/workflows/ci-publish.yaml

@@ -21,7 +21,7 @@ jobs:
             exit 1
           fi
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Parse Version from POM
         id: parse
@@ -47,7 +47,7 @@ jobs:
       - call-build
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Download Artifacts
         uses: actions/[email protected]

.github/workflows/ci-release.yaml

@@ -18,7 +18,7 @@ jobs:
       release-branch: ${{ steps.variables.outputs.release-branch }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Setup Environment
         id: variables
@@ -45,10 +45,10 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Set up JDK
-        uses: actions/setup-java@v3.11.0
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -112,7 +112,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
         with:
           ref: ${{ needs.prepare-release.outputs.release-branch }}
 

.github/workflows/ci-test.yaml

@@ -29,10 +29,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Set up JDK
-        uses: actions/setup-java@v3.11.0
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'temurin'
           java-version: '17'

.github/workflows/dependency-review.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3.5.3
+        uses: actions/checkout@v4.0.0
 
       - name: Dependency Review
         uses: actions/dependency-review-action@v3

.gitignore

@@ -10,8 +10,12 @@ docs/Gemfile.lock
 target/
 .classpath
 .project
-.idea/
 .vscode/
 
 # windows
-~
+~
+
+# IntelliJ
+.idea/*
+!.idea/icon.svg
+!.idea/runConfigurations/

DEVELOPING.md

@@ -24,7 +24,7 @@ There are a few things you'll need on your journey:
 * Docker (optional)
 
 > We provide common [run configurations](https://www.jetbrains.com/help/idea/run-debug-configuration.html) for IntelliJ 
-> in the [`.run`](./.run) directory for convenience. IntelliJ will automatically pick those up when you open this repository.
+> in the [`.idea/runConfigurations`](./.idea/runConfigurations) directory for convenience. IntelliJ will automatically pick those up when you open this repository.
 
 ## Core Technologies
 
@@ -84,7 +84,7 @@ mvn jetty:run -P enhance -Dlogback.configurationFile=src/main/docker/logback.xml
 > Note that the `bundle-ui` profile has no effect using this method. 
 > It works only for the API server, not the bundled distribution.
 
-The above command is also suitable for debugging. For IntelliJ, simply *Debug* the [Jetty](./.run/Jetty.run.xml) run configuration.
+The above command is also suitable for debugging. For IntelliJ, simply *Debug* the [Jetty](./.idea/runConfigurations/Jetty.run.xml) run configuration.
 
 ### Inspecting the database
 
@@ -257,8 +257,14 @@ cd dev
 docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.monitoring.yml up -d
 ```
 
-Prometheus should automatically discover the API server's metrics. To visualize them, follow the instructions
-for setting up the sample Grafana dashboard in the [docs](https://docs.dependencytrack.org/getting-started/monitoring/#grafana-dashboard).
+Prometheus will automatically discover the API server's metrics. Grafana is configured to provision Prometheus
+as datasource, and import the [sample dashboard](https://docs.dependencytrack.org/getting-started/monitoring/#grafana-dashboard)
+on startup.
+
+To view the dashboard, visit http://localhost:3000 in your browser. The initial Grafana credentials are:
+
+* Username: `admin`
+* Password: `admin`
 
 ## DataNucleus Bytecode Enhancement
 

dev/docker-compose.monitoring.yml

@@ -21,41 +21,26 @@ services:
 
   prometheus:
     image: prom/prometheus:v2.37.8
-    entrypoint: /bin/sh
-    command:
-    - -c
-    - >-
-      echo -e "$$PROMETHEUS_CONFIG_FILE" > /etc/prometheus/prometheus.yml;
-      /bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus
-    environment:
-      PROMETHEUS_CONFIG_FILE: |-
-        scrape_configs:
-        - job_name: dtrack-apiserver
-          scrape_interval: 15s
-          scheme: http
-          dns_sd_configs:
-          - names:
-            - apiserver
-            type: A
-            port: 8080
     ports:
     - "127.0.0.1:9090:9090"
     volumes:
+    - "./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml:ro"
     - "prometheus-data:/prometheus"
     restart: unless-stopped
 
   grafana:
-    image: grafana/grafana-oss:9.5.2
+    image: grafana/grafana-oss:9.5.5
     depends_on:
     - prometheus
     environment:
-      GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
-      GF_AUTH_ANONYMOUS_ENABLED: "true"
-      GF_AUTH_BASIC_ENABLED: "false"
+      GF_SECURITY_ADMIN_USER: "admin"
+      GF_SECURITY_ADMIN_PASSWORD: "admin"
     ports:
     - "127.0.0.1:3000:3000"
     volumes:
     - "grafana-data:/var/lib/grafana"
+    - "./monitoring/grafana/provisioning:/etc/grafana/provisioning:ro"
+    - "./monitoring/grafana/dashboards:/etc/dashboards:ro"
     restart: unless-stopped
 
 volumes: