Implement Graceful Handling of Maven Central HTTP 429

[msymons]

Current Behavior

Dependency-Track is configured "out of the box" with several Maven Repositories. One of these is Maven Central, run by Sonatype.

Sonatype has analysed traffic and decided to respond with HTTP 429 errors to individual IP addresses that exceed a request threshold, as documented in their blogpost: Maven Central and the tragedy of the commons

In Dependency-Track, statuses other than 200 are only logged at DEBUG level.... meaning that the administrator would currently have a hard job to even know that they were being impacted by throttling.

Note that many corporate environments will use a NAT gateway, meaning that Maven Central may be seeing traffic from Dependency-Track AND CI/CD servers AND developer IDE as all coming from the same IP. Thus, it is possible that DT might not be be causing throttling... but still be impacted by it.

Proposed Behavior

• Change loglevel so that admin can see HTTP 409 errors in log by default.
• Possibly adjust logging logic so that log does not get spammed by too many entries
• Add a circuit breaker, such that once we hit a certain threshold of 429s, we don't make the problem worse by throwing more and more requests at the system that has given us the 429.
• Metrics would be nice to have and should be investigated (being aware of need to avoid extreme memory usage)

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested