Add capability to detect EOL packages and distros #2083
Comments
|
I think there is a path forward here to support this dataset, and it makes sense from the vulnerability perspective in terms of if something is EOL'd then we can't identify vulnerabilities for it, so that's worth noting to the user. The nice thing about the EOL dataset is that it appears to have the canonical product IDs and formats (CPE vs pURL) for each item they track. A good first cut would be to match against full distros, then a second pass would be to match against individual packages (such as the python interpreter or ruby interpreter). I'll transfer this to grype since there is a lot more to work through over there and the change that adds the new EOL data source in vunnel would flow from that work. |
wagoodman
changed the title
|
Hi! |
|
please checkout this endpoint - https://deploy-preview-2080--endoflife-date.netlify.app/docs/api/v1/ |
|
As I wrote before, I use syft to detect EOL Cuurent rough flow is ...
To get much product, many detection approach, especially binary detection is very useful. |
|
are you using it to distributions of images as well? @witchcraze |
|
No |
|
This is an enhancement we'd love to see. There are basically 2 steps to adding this: Add the data to the database Grype downloads, and change Grype to interpret the new data and present it to the user (the user presentation probably wants some more discussion.) The way to do the first step is to design and add a Vunnel provider that captures the data that Grype would need. (One concern I have here is that the API doesn't seem to have PURLs in it, see https://endoflife.date/docs/api). Some design work is needed to figure out how to fetch complete enough data to match packages and distros. The release data repo also doesn't seem to have PURLs. The design challenge here is to make sure we can identify packages with their entries in the data. It looks like there's an issue, endoflife-date/endoflife.date#3484, to include PURLs in their data. It might be possible to design around lack of PURLs, but if they had package identifiers of some kind in their release data or API it would certainly be easier to add this feature to Grype. It looks like the PURLs are in the raw markdown files, see https://raw.githubusercontent.com/endoflife-date/endoflife.date/master/products/angularjs.md for example, but it's not clear whether this data is stable or intended for consumption. If anyone would like to help build this, please reply here or join us at a community meeting. If anyone is reading this from the endoflife.date project, we'd love to know how you intend us to programmatically access PURLs or other package identifiers. Thanks all! |
|
hi @willmurphyscode, |
|
Hi @TimBrown1611 thanks for those links. If endoflife-date/endoflife.date#2080 is merged and does include identifiers for packages, we might be able to build something here. |
What would you like to be added:
I think grype can also cover EOL packages.
information is handled here - https://endoflife.date/
this website has an API which we can get the information, both to packages and OS distributions.
Why is this needed:
Grype covers CVEs, I think another scope which can be covered is EOL. Today xeol which is an open source based on grype is not maintained.
Additional context:
The text was updated successfully, but these errors were encountered: