Implement basic telemetry collection

Signed-off-by: nscuro <nscuro@protonmail.com>

# Conflicts:
#	dev/docker-compose.yml

Author: nscuro

dev/docker-compose.yml

@@ -22,6 +22,7 @@ services:
     environment:
       # Speed up password hashing for faster initial login (default is 14 rounds).
       ALPINE_BCRYPT_ROUNDS: "4"
+      TELEMETRY_SUBMISSION_ENABLED_DEFAULT: "false"
     ports:
     - "127.0.0.1:8080:8080"
     volumes:

docs/_docs/getting-started/telemetry.md

@@ -0,0 +1,68 @@
+---
+title: Telemetry
+category: Getting Started
+chapter: 1
+order: 14
+---
+
+## Collected data
+
+| Data                     | Example                              |
+|:-------------------------|:-------------------------------------|
+| System ID                | 78701907-3044-493d-92b5-6a45e08aecd3 |
+| Dependency-Track version | 4.13.0                               |
+| Database type            | PostgreSQL                           |
+| Database version         | 15.2                                 |
+
+Information that could allow this data to be traced back to specific organizations,
+such as IP addresses, is explicitly **not** collected or stored.
+
+The system ID is randomly generated upon a Dependency-Track instance's first launch.  
+It is used to correlate multiple data points of the same system over time,  
+but can not be traced back to actual deployments.
+
+The Dependency-Track version is collected to allow the maintainers to gauge
+adoption of releases.
+
+Database type and version are collected to gain a better understanding of which
+database systems are most commonly used, and which are not. It also allows to draw
+conclusions as to when it's safe to raise the baseline of supported database versions.
+
+The insights gained from telemetry collection, excluding system IDs, will be made available to the community.
+
+## Submission frequency
+
+Telemetry data is first submitted one minute after application startup.  
+From then onwards, it is submitted on a daily basis.
+
+## Opting out
+
+Telemetry submission can be disabled in multiple ways.
+
+**Via user interface**: Administrators can disable telemetry submission in the  
+administration panel under *Configuration* -> *Telemetry*.
+
+![Telemetry preferences]({{ site.baseurl }}/images/screenshots/telemetry.png)
+
+**Via REST API**: Given an API key with `SYSTEM_CONFIGURATION` permission,  
+telemetry submission may be disabled using the `/api/v1/configProperty` endpoint.
+
+```shell
+curl -X POST \
+  -H 'X-Api-Key: odt_******' \
+  -H 'Content-Type: application/json' \
+  -d '{"groupName":"telemetry","propertyName":"submission.enabled","propertyValue":"false"}' \
+  https://dtrack.example.com/api/v1/configProperty
+```
+
+**Via environment variable**: *When starting a new instance for the first time*,  
+or *when upgrading from an older version to 4.13.0 or higher*,  
+the following environment variable can be set:
+
+```
+TELEMETRY_SUBMISSION_ENABLED_DEFAULT=false
+```
+
+Please note that the environment variable merely impacts the *default value* of the setting.  
+It does not overwrite any changes made via REST API or user interface,  
+and has no effect past the initial launch of the application.

docs/images/screenshots/telemetry.png

@@ -750,6 +750,9 @@
                 <artifactId>jetty-ee10-maven-plugin</artifactId>
                 <version>${plugin.jetty.version}</version>
                 <configuration>
+                    <systemProperties>
+                        <dev.mode.enabled>true</dev.mode.enabled>
+                    </systemProperties>
                     <webApp>
                         <!-- Disable classpath scanning. -->
                         <containerIncludeJarPattern>^$</containerIncludeJarPattern>
@@ -812,6 +815,9 @@
                         <artifactId>jetty-ee10-maven-plugin</artifactId>
                         <version>${plugin.jetty.version}</version>
                         <configuration>
+                            <systemProperties>
+                                <dev.mode.enabled>true</dev.mode.enabled>
+                            </systemProperties>
                             <webApp>
                                 <!-- Disable classpath scanning. -->
                                 <containerIncludeJarPattern>^$</containerIncludeJarPattern>

pom.xml

@@ -40,7 +40,9 @@ public enum ConfigKey implements Config.Key {
     REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_LOCK_BUCKETS("repo.meta.analyzer.cacheStampedeBlocker.lock.buckets", 1000),
     REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_MAX_ATTEMPTS("repo.meta.analyzer.cacheStampedeBlocker.max.attempts", 10),
     SYSTEM_REQUIREMENT_CHECK_ENABLED("system.requirement.check.enabled", true),
-    ALPINE_WORKER_POOL_DRAIN_TIMEOUT_DURATION("alpine.worker.pool.drain.timeout.duration", "PT5S");
+    ALPINE_WORKER_POOL_DRAIN_TIMEOUT_DURATION("alpine.worker.pool.drain.timeout.duration", "PT5S"),
+    TELEMETRY_SUBMISSION_ENABLED_DEFAULT("telemetry.submission.enabled.default", true);
+
     private final String propertyName;
     private final Object defaultValue;
 

src/main/java/org/dependencytrack/common/ConfigKey.java

@@ -43,6 +43,7 @@
 import org.dependencytrack.tasks.OsvDownloadTask;
 import org.dependencytrack.tasks.PolicyEvaluationTask;
 import org.dependencytrack.tasks.TaskScheduler;
+import org.dependencytrack.tasks.TelemetrySubmissionTask;
 import org.dependencytrack.tasks.VexUploadProcessingTask;
 import org.dependencytrack.tasks.VulnDbSyncTask;
 import org.dependencytrack.tasks.VulnerabilityAnalysisTask;
@@ -112,6 +113,7 @@ public void contextInitialized(final ServletContextEvent event) {
         EVENT_SERVICE.subscribe(NistMirrorEvent.class, NistMirrorTask.class);
         EVENT_SERVICE.subscribe(NistApiMirrorEvent.class, NistApiMirrorTask.class);
         EVENT_SERVICE.subscribe(EpssMirrorEvent.class, EpssMirrorTask.class);
+        EVENT_SERVICE.subscribe(TelemetrySubmissionEvent.class, TelemetrySubmissionTask.class);
 
         EVENT_SERVICE_ST.subscribe(IndexEvent.class, IndexTask.class);
 
@@ -148,6 +150,7 @@ public void contextDestroyed(final ServletContextEvent event) {
         EVENT_SERVICE.unsubscribe(NistMirrorTask.class);
         EVENT_SERVICE.unsubscribe(NistApiMirrorTask.class);
         EVENT_SERVICE.unsubscribe(EpssMirrorTask.class);
+        EVENT_SERVICE.unsubscribe(TelemetrySubmissionTask.class);
         EVENT_SERVICE.shutdown(DRAIN_TIMEOUT_DURATION);
 
         EVENT_SERVICE_ST.unsubscribe(IndexTask.class);

src/main/java/org/dependencytrack/event/EventSubsystemInitializer.java

@@ -0,0 +1,37 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.event;
+
+import alpine.event.framework.SingletonCapableEvent;
+
+import java.util.UUID;
+
+/**
+ * @since 4.13.0
+ */
+public class TelemetrySubmissionEvent extends SingletonCapableEvent {
+
+    private static final UUID CHAIN_IDENTIFIER = UUID.fromString("a2ca4cbf-18d9-4e25-ae87-643020637e88");
+
+    public TelemetrySubmissionEvent() {
+        setChainIdentifier(CHAIN_IDENTIFIER);
+        setSingleton(true);
+    }
+
+}

src/main/java/org/dependencytrack/event/TelemetrySubmissionEvent.java

@@ -18,9 +18,11 @@
  */
 package org.dependencytrack.model;
 
+import alpine.Config;
 import alpine.model.IConfigProperty;
 import alpine.model.IConfigProperty.PropertyType;
 import org.apache.commons.lang3.SystemUtils;
+import org.dependencytrack.common.ConfigKey;
 
 import java.util.Arrays;
 
@@ -120,7 +122,10 @@ public enum ConfigPropertyConstants {
     BOM_VALIDATION_TAGS_EXCLUSIVE("artifact", "bom.validation.tags.exclusive", "[]", PropertyType.STRING, "JSON array of tags for which BOM validation shall NOT be performed"),
     WELCOME_MESSAGE("general", "welcome.message.html", "%3Chtml%3E%3Ch1%3EYour%20Welcome%20Message%3C%2Fh1%3E%3C%2Fhtml%3E", PropertyType.STRING, "Custom HTML Code that is displayed before login", true),
     IS_WELCOME_MESSAGE("general", "welcome.message.enabled", "false", PropertyType.BOOLEAN, "Bool that says whether to show the welcome message or not", true),
-    DEFAULT_LANGUAGE("general", "default.locale", null, PropertyType.STRING, "Determine the default Language to use", true);
+    DEFAULT_LANGUAGE("general", "default.locale", null, PropertyType.STRING, "Determine the default Language to use", true),
+    TELEMETRY_SUBMISSION_ENABLED("telemetry", "submission.enabled", String.valueOf(!"true".equals(System.getProperty("dev.mode.enabled")) && Config.getInstance().getPropertyAsBoolean(ConfigKey.TELEMETRY_SUBMISSION_ENABLED_DEFAULT)), PropertyType.BOOLEAN, "Whether submission of telemetry data is enabled"),
+    TELEMETRY_LAST_SUBMISSION_DATA("telemetry", "last.submission.data", null, PropertyType.STRING, "Data of the last telemetry submission"),
+    TELEMETRY_LAST_SUBMISSION_EPOCH_SECONDS("telemetry", "last.submission.epoch.seconds", null, PropertyType.INTEGER, "Timestamp of the last telemetry submission in epoch seconds");
 
     private final String groupName;
     private final String propertyName;
@@ -129,7 +134,6 @@ public enum ConfigPropertyConstants {
     private final String description;
     private final Boolean isPublic;
 
-
 	ConfigPropertyConstants(String groupName, String propertyName, String defaultPropertyValue, PropertyType propertyType, String description) {
         this.groupName = groupName;
         this.propertyName = propertyName;

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -36,19 +36,22 @@
 import org.dependencytrack.event.PortfolioMetricsUpdateEvent;
 import org.dependencytrack.event.PortfolioVulnerabilityAnalysisEvent;
 import org.dependencytrack.event.RepositoryMetaEvent;
+import org.dependencytrack.event.TelemetrySubmissionEvent;
 import org.dependencytrack.event.VulnDbSyncEvent;
 import org.dependencytrack.event.VulnerabilityMetricsUpdateEvent;
 import org.dependencytrack.model.ConfigPropertyConstants;
 import org.dependencytrack.persistence.QueryManager;
 
+import java.util.concurrent.TimeUnit;
+
 import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_SYNC_CADENCE;
 import static org.dependencytrack.model.ConfigPropertyConstants.FORTIFY_SSC_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.FORTIFY_SSC_SYNC_CADENCE;
-import static org.dependencytrack.model.ConfigPropertyConstants.SEARCH_INDEXES_CONSISTENCY_CHECK_CADENCE;
-import static org.dependencytrack.model.ConfigPropertyConstants.SEARCH_INDEXES_CONSISTENCY_CHECK_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.KENNA_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.KENNA_SYNC_CADENCE;
+import static org.dependencytrack.model.ConfigPropertyConstants.SEARCH_INDEXES_CONSISTENCY_CHECK_CADENCE;
+import static org.dependencytrack.model.ConfigPropertyConstants.SEARCH_INDEXES_CONSISTENCY_CHECK_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.TASK_SCHEDULER_COMPONENT_ANALYSIS_CACHE_CLEAR_CADENCE;
 import static org.dependencytrack.model.ConfigPropertyConstants.TASK_SCHEDULER_GHSA_MIRROR_CADENCE;
 import static org.dependencytrack.model.ConfigPropertyConstants.TASK_SCHEDULER_INTERNAL_COMPONENT_IDENTIFICATION_CADENCE;
@@ -109,6 +112,8 @@ private TaskScheduler() {
 
             // Creates a new event that executes every 72 hours (259200000) by default after an initial 10 second (10000) delay
             scheduleEvent(new ClearComponentAnalysisCacheEvent(), 10000, getCadenceConfigPropertyValueInMilliseconds(qm, TASK_SCHEDULER_COMPONENT_ANALYSIS_CACHE_CLEAR_CADENCE));
+
+            scheduleEvent(new TelemetrySubmissionEvent(), TimeUnit.MINUTES.toMillis(1), TimeUnit.HOURS.toMillis(1));
         }
 
         // Configurable tasks