Frühere Suchanfragen
Suchoptionen
Running DependencyTrack requires a full-blown multi-container docker setup:
https://docs.dependencytrack.org/getting-started/deploy-docker/
Are they serious?
To run something that basically parses a well-defined JSON- or XML-File and then compares a list of strings with lists of strings from online lists and generates graphs from that, I have to fire up multiple containers?
I think I finally understand what people mean when they say that "modern" #software scales up, but it fails to scale down.
@ArneBab Hmmm, I'm afraid you are a bit over simplificating it. It has a lot more features and I understand there is some hidden complexity behind that.
In my job we basically make trains running. It is conceptually very simple, but when you implement software for it, the real complexity behind that is quite overwhelming !
Perhaps we tend to find things simple until we try to do it ourselves.
A bit like : "A calculator app? Anyone could make that." https://chadnauseam.com/coding/random/calculator-app
@matclab I know that it has a lot of features, and some of these are needed in huge deployments.
What I mean by "fails to scale down" is that it does not have a good "I just want to check my small project" story.
The calculator app is actually a great example for that: yes, it has a lot of complexity, but there are small calculators that work out of the box locally.
Dependency Track feels like needing a cluster-deployment for a calculator app.
@matclab Besides: that article is truly beautiful!
@ArneBab yes I like it !
@matclab To make my point a bit clearer:
If I’m part of the IT department of a 1000 people company with 100 dev teams that each churn out 3 new projects per year with 1000 dependencies, then sure, I need a postgres database (300.000 deps per year, distinct due to different versions for incompatibilities or maintenance cost, differing in whether a specific CVE is relevant, and you need to check that retroactively, …).
But for a team of three I just need to check specific commits.
@ArneBab ah yes.
We use it in a 150 people sme, and it is ok for us (easy to install and update, and we have the needed infrastructure).
Indeed a bit too much for a three person team if you don't have a server with spare resources available.
@matclab We also use it at work and it’s pretty neat. DevOps manages it.
Though it’s not just about the spare resources: it’s that this by itself has quite big requirements.
Its direct POM isn’t that huge, but it contains lucene and testcontainers:
https://github.com/DependencyTrack/dependency-track/blob/master/pom.xml#L89