Support for summarized and scheduled notifications

[MM-msr]

Description

Currently, Dependency-Track Alerts send a single notification for every single event happening that an alert is subscribed to (e.g. NEW_VULNERABILITY). This can lead to a lot of emails for users and creates the risk of overlooking important notifications.

To improve the user experience of the Alerts, scheduled notifications are implemented in Dependency-Track to send summarized notifications of new events between the last and current scheduled notification. The schedule is defined as cron expression.

Scheduled notification management is available via API and Frontend under Administration -> Notifications -> Scheduled Alerts, which is introduced in the Frontend Pull Request [reference will be added after creation].

The PR includes default templates for console and email publishing.

Addressed Issue

#322

Additional Details

• DEFAULT_SCHEDULED_CRON_EXPRESSION as environment variable for the default cron expression of new rules
• Error: "The type javax.validation.Payload cannot be resolved. It is indirectly referenced from required type com.github.packageurl.validator.PackageURL" was introduced in my local development environment after syncing the main project and the transition of some javax packages to jakarta
  • was fixed by manually adding javax.validation-api to pom.xml as depencency
• While evaluating and debugging the consideration of child projects in the notification process, it has turned out that projects delivered by QueryManager.getAllProjects() and some other methods didn't consistently include the correct child references. To workaround this behavior, the notification task "SendScheduledNotificationTask" uses a project-by-project-retrieval approach in "evaluateAffectedProjects(qm, rule)". This worked out empirically to deliver consistent child references.
• DefaultPublisher-Retrieval was changed from by-class to a combination of name + class (or by-enum on a higher layer) to support multiple default publishers with same publisher class. This change is needed to use the existing publisher classes without defining new ones for scheduled default publishers.

[TODO: exemplary screenshots will be added during the next days]

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding [update logic](https://github.com/DependencyTrack/dependency-track/tree/master/src/main/java/org/dependencytrack/upgrade)
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[MM-msr]

@nscuro As you may have already discussed with @rkg-mm, i would appreciate it if you would provide a feature branch for this PR, as it includes bigger code and functionality changes.

[nscuro]

@MM-msr Sure! Feature branches have been created:

• https://github.com/DependencyTrack/dependency-track/tree/feature-322-scheduled-notifications
• https://github.com/DependencyTrack/frontend/tree/feature-322-scheduled-notifications

If you haven't already, please have a look at https://github.com/DependencyTrack/dependency-track/blob/master/DEVELOPING.md#feature-branches for details on how feature branches work. Please let me know if you have any questions, or run into challenges.

[MM-msr]

@nscuro Due to the DCO failure i rebased according to the instructions there. I cloned the PR, did the rebase and tried then to push it back. (local branches: master + pr/3849)

git push --force-with-lease origin master-322-scheduled-notifications fails with the message

error: src refspec master-322-scheduled-notifications does not match any
error: failed to push some refs to 'https://github.com/DependencyTrack/dependency-track.git'

What did i do wrong? I suppose i have to 1) have to do the rebase again in my original repo (aka fork) or 2) i have to use another target branch, because it's not really existing with this name in the official DependencyTrack repository. Maybe i need to change master-322-scheduled-notifications to origin/feature-322-scheduled-notifications or my own repo-branch MM-msr/master-322-scheduled-notifications? Since it's my first real interaction with contribution, PRs and stuff, I don't want to experiment any further to force push somewhere else, so a little assistance or a hint where i have to look would be much appreciated. :)
Thanks a lot in advance.

[nscuro]

@MM-msr It seems that origin in your local repository refers to this (DependencyTrack/dependency-track) repo, when it should be yours (MM-msr/dependency-track):

error: failed to push some refs to 'https://github.com/DependencyTrack/dependency-track.git

You can't push directly to this repository.

Something along these lines should do it:

git clone https://github.com/MM-msr/dependency-track.git
cd dependency-track
git remote add upstream https://github.com/DependencyTrack/dependency-track.git
git checkout master-322-scheduled-notifications
git rebase HEAD~90 --signoff # As per DCO Check suggestion
git push --force-with-lease origin master-322-scheduled-notifications

Afterwards, you may want to consider rebasing your changes against the new target branch, to make sure you're "in line":

git pull --rebase upstream feature-322-scheduled-notifications
# In case of conflicts, resolve them, then do: git rebase --continue
# Once rebased, do another round of: git push --force

[MM-msr]

@nscuro Due to massive problems with double-signoff and rebase conflicts i close this pull request and i will provide another pull request in the next days/weeks directly to the new feature branch. I will transfer my changes to a new branch with proper signoff and, if needed, a DependencyTrack-master sync at the end of my changes. This will make things a lot easier than to try to fix this PR. Sorry for the inconvenience.