{"id":18828629,"url":"https://github.com/dependencytrack/hyades","last_synced_at":"2025-04-14T03:14:44.936Z","repository":{"id":61419060,"uuid":"543507686","full_name":"DependencyTrack/hyades","owner":"DependencyTrack","description":"Incubating project for decoupling responsibilities from Dependency-Track's monolithic API server into separate, scalable services.","archived":false,"fork":false,"pushed_at":"2025-04-10T05:23:52.000Z","size":23888,"stargazers_count":70,"open_issues_count":96,"forks_count":28,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-14T03:14:26.390Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://dependencytrack.github.io/hyades/latest","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DependencyTrack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-09-30T08:44:20.000Z","updated_at":"2025-04-08T10:56:00.000Z","dependencies_parsed_at":"2023-02-18T00:31:22.844Z","dependency_job_id":"4b4692f4-3979-4a24-9ef3-ab12cd0f69c2","html_url":"https://github.com/DependencyTrack/hyades","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fhyades","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fhyades/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fhyades/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fhyades/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DependencyTrack","download_url":"https://codeload.github.com/DependencyTrack/hyades/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248813803,"owners_count":21165634,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:33:56.711Z","updated_at":"2025-04-14T03:14:44.926Z","avatar_url":"https://github.com/DependencyTrack.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hyades\n\n[![Build Status](https://github.com/DependencyTrack/hyades/actions/workflows/ci.yml/badge.svg)](https://github.com/DependencyTrack/hyades/actions/workflows/ci.yml)\n[![End-to-End Test](https://github.com/DependencyTrack/hyades/actions/workflows/e2e-test.yml/badge.svg)](https://github.com/DependencyTrack/hyades/actions/workflows/e2e-test.yml)\n[![Codacy Code Quality Badge](https://app.codacy.com/project/badge/Grade/64c349c2b92340ffb83f7dba1d6b03e5)](https://app.codacy.com/gh/DependencyTrack/hyades/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade)\n[![Codacy Coverage Badge](https://app.codacy.com/project/badge/Coverage/64c349c2b92340ffb83f7dba1d6b03e5)](https://app.codacy.com/gh/DependencyTrack/hyades/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_coverage)\n\n## What is this? πŸ€”\n\nHyades, named after [the star cluster closest to earth](https://en.wikipedia.org/wiki/Hyades_(star_cluster)), \nis an incubating project for decoupling responsibilities from [Dependency-Track]'s monolithic API server into separate, \nscalableβ„’ services. We're using [Apache Kafka] (or Kafka-compatible brokers like [Redpanda]) for communicating between\nAPI server and Hyades services.\n\nIf you're interested in the technical background of this project, please refer to πŸ‘‰ [`WTF.md`](WTF.md) πŸ‘ˆ.\n\nThe main objectives of Hyades are:\n\n* Enable Dependency-Track to handle portfolios spanning hundreds of thousands of projects\n* Improve resilience of Dependency-Track, providing more confidence when relying on it in critical workflows\n* Improve deployment and configuration management experience for containerized / cloud native tech stacks\n\nOther than separating responsibilities, the API server has been modified to allow for high availability (active-active)\ndeployments. Various \"hot paths\", like [processing of uploaded BOMs](https://github.com/DependencyTrack/hyades-apiserver/pull/218),\nhave been optimized in the existing code. Further optimization is an ongoing effort.\n\nHyades already is a *superset* of Dependency-Track, as changes up to Dependency-Track v4.11.3 were ported,\nand features made possible by the new architecture have been implemented on top. Where possible, improvements\nmade in Hyades are, or will be, backported to Dependency-Track v4.x.\n\n## Features\n\nGenerally, Hyades can do [everything Dependency-Track can do](https://github.com/DependencyTrack/dependency-track#features).\n\nOn top of that, it is capable of:\n\n* Evaluating policies defined in the [Common Expression Language](https://dependencytrack.github.io/hyades/latest/usage/policy-compliance/expressions/) (CEL)\n* Verifying the integrity of components, based on hashes consumed from BOMs and remote repositories\n\n## Architecture\n\nRough overview of the architecture:\n\n![Architecture Overview](docs/architecture-overview.png)\n\nExcept the mirror service (which is not actively involved in event processing), all services can be scaled up and down,\nto and from multiple instances. Despite being written in Java, all services except the API server can optionally be\ndeployed as self-contained native binaries, offering a lower resource footprint.\n\nTo read more about the individual services, refer to their respective `REAMDE.md`:\n\n* [Repository Metadata Analyzer](repository-meta-analyzer/README.md)\n* [Vulnerability Analyzer](vulnerability-analyzer/README.md)\n\n## Great, can I try it? πŸ™Œ\n\nYes! And all you need to kick the tires is [Docker Compose](https://docs.docker.com/compose/install/)!\n\n```shell\ndocker compose --profile demo up -d --pull always\n```\n\nThis will launch all required services, and expose the following endpoints:\n\n| Service | URL |\n|:-------------------|:-----------------------|\n| API Server | http://localhost:8080 |\n| Frontend | http://localhost:8081 |\n| Redpanda Console | http://localhost:28080 |\n| PostgreSQL | `localhost:5432` |\n| Redpanda Kafka API | `localhost:9092` |\n\nSimply navigate to the [frontend](http://localhost:8081) to get started! \nThe initial admin credentials are `admin` / `admin` 🌚\n\n## Deployment 🚒\n\nThe recommended way to deploy Hyades is via Helm.\nThe chart is maintained in the [`DependencyTrack/helm-charts`](https://github.com/DependencyTrack/helm-charts) repository.\n\n```shell\n$ helm repo add dependency-track https://dependencytrack.github.io/helm-charts\n$ helm search repo dependency-track -o json | jq -r '.[].name'\ndependency-track/dependency-track\ndependency-track/hyades\n```\n\nThe chart does *not* include:\n\n* a database\n* a Kafka-compatible broker\n\nHelm charts to deploy Kafka brokers to Kubernetes are provided by both [Strimzi](https://strimzi.io/)\nand [Redpanda](https://github.com/redpanda-data/helm-charts).\n\n### Minikube\n\nDeploying to a local [Minikube](https://minikube.sigs.k8s.io/docs/) cluster is a great way to get started.\n\n\u003e [!NOTE] \n\u003e To allow for frictionless testing, we will use the [`values-minikube.yaml`](https://github.com/DependencyTrack/helm-charts/blob/main/charts/hyades/values-minikube.yaml)\n\u003e configuration template. **This template includes PostgreSQL and Redpanda deployments**.\n\u003e Both are configured for *minimal resource footprint*, which *can* lead to suboptimal performance.\n\n1. Start a local Minikube cluster, exposing `NodePort`s for API server (`30080`) and frontend (`30081`)\n```shell\nminikube start --ports 30080:30080,30081:30081\n```\n2. Download the example `values-minikube.yaml` configuration template:\n```shell\ncurl -O https://raw.githubusercontent.com/DependencyTrack/helm-charts/main/charts/hyades/values-minikube.yaml\n```\n3. Make adjustments to `values-minikube.yaml` as needed\n * Refer to [the chart's documentation](https://github.com/DependencyTrack/helm-charts/tree/main/charts/hyades) for details on available values\n * Refer to the [configuration reference](https://dependencytrack.github.io/hyades/latest/reference/configuration/api-server/) for details on available application options\n4. Deploy Hyades\n```shell\nhelm install hyades dependency-track/hyades \\\n -n hyades --create-namespace \\\n -f ./values-minikube.yaml\n```\n5. Wait a moment for all deployments to become *ready*\n```shell\nkubectl -n hyades rollout status deployment \\\n --selector 'app.kubernetes.io/instance=hyades' \\\n --watch --timeout 3m\n```\n6. Visit `http://localhost:30081` in your browser to access the frontend\n\n## Monitoring πŸ“Š\n\n### Metrics\n\nA basic metrics monitoring stack is provided, consisting of Prometheus and Grafana. \nTo start both services, run:\n\n```shell\ndocker compose --profile monitoring up -d\n```\n\nThe services will be available locally at the following locations:\n\n* Prometheus: http://localhost:9090\n* Grafana: http://localhost:3000\n\nPrometheus is [configured](monitoring/prometheus.yml) to scrape metrics from the following services in a 5s intervals:\n\n* Redpanda Broker\n* API Server\n* Notification Publisher\n* Repository Meta Analyzer\n* Vulnerability Analyzer\n\nThe Grafana instance will be automatically [provisioned](monitoring/grafana/provisioning) to use Prometheus as\ndata source. Additionally, dashboards for the following services are automatically set up:\n\n* Redpanda Broker\n* API Server\n* Vulnerability Analyzer\n\n### Redpanda Console 🐼\n\nThe provided `docker-compose.yml` includes an instance of [Redpanda Console](https://github.com/redpanda-data/console)\nto aid with gaining insight into what's happening in the message broker. Among many other things, it can be used to\ninspect messages inside any given topic.\n\nThe console is exposed at `http://127.0.0.1:28080` and does not require authentication. It's intended for local use only.\n\n## Technical Documentation πŸ’»\n\n### Configuration πŸ“\n\nRefer to the [`Configuration`](https://dependencytrack.github.io/hyades/latest/reference/configuration/) documentation.\n\n### Development\n\n#### Prerequisites\n\n* JDK 21+\n* Maven\n* Docker\n\n#### Building\n\n```shell\nmvn clean install -DskipTests\n```\n\n#### Running locally\n\nRunning the Hyades services locally requires both a Kafka broker and a database server to be present.\nContainers for Redpanda and PostgreSQL can be launched using Docker Compose:\n\n```shell\ndocker compose up -d\n```\n\nTo launch individual services execute the `quarkus:dev` Maven goal for the respective module:\n\n```shell\nmvn -pl vulnerability-analyzer quarkus:dev\n```\n\nMake sure you've [built](#building) the project at least once, otherwise the above command will fail.\n\n\u003e **Note** \n\u003e If you're unfamiliar with Quarkus' Dev Mode, you can read more about it \n\u003e [here](https://quarkus.io/guides/maven-tooling#dev-mode)\n\n### Testing 🀞\n\n#### Unit Testing πŸ•΅οΈβ€β™‚οΈ\n\nTo execute the unit tests for all Hyades modules:\n\n```shell\nmvn clean verify\n```\n\n#### End-To-End Testing 🧟\n\n\u003e **Note** \n\u003e End-to-end tests are based on container images. The tags of those images are currently hardcoded.\n\u003e For the Hyades services, the tags are set to `latest`. If you want to test local changes, you'll have\n\u003e to first:\n\u003e * Build container images locally\n\u003e * Update the tags in [`AbstractE2ET`](https://github.com/DependencyTrack/hyades/blob/main/e2e/src/test/java/org/hyades/e2e/AbstractE2ET.java)\n\nTo execute end-to-end tests as part of the build:\n\n```shell\nmvn clean verify -Pe2e-all\n```\n\nTo execute *only* the end-to-end tests:\n\n```shell\nmvn -pl e2e clean verify -Pe2e-all\n```\n\n[Apache Kafka]: https://kafka.apache.org/\n[Dependency-Track]: https://github.com/DependencyTrack/dependency-track\n[Redpanda]: https://redpanda.com/\n[notifications]: https://docs.dependencytrack.org/integrations/notifications/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependencytrack%2Fhyades","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdependencytrack%2Fhyades","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependencytrack%2Fhyades/lists"}