lumjjb
commented
2 months ago We took a look at the API of endoflife.date, and it looks like this would be a good first issue to run a certifier.
- Run about every ~14 days
- Will look up all products in https://endoflife.date/api/all.json (via https://endoflife.date/docs/api)
- For each product, query Package where name in the list, map them to https://endoflife.date /api/{product}.json and map versions accordingly
- Create HasMetadata entries for each of them
Two pieces of has metadata info
- Is EOL? - is this EOL today?
- EOL date - if exists
Note that some don't have EOL dates, but just says "EOL": true or false. Consumption for these would likely will be HasMetadata of something being supported. Consumption may also be an alerting flow of change in metadata (be via some policy engine).
Open Questions:
- How do some of these non-open source products appear in other tools. For example, windows. Do we need to match them towards CPEs?
robert-cronin
pxp928
Is your feature request related to a problem? Please describe. endoflife.date tracks information about when versions reach the end of supported life. This is useful information to include in the understanding of the supply chain. Knowing which dependencies are (or soon will be) unsupported can be an important part of proactively reducing risk.
Describe the solution you'd like Use the endoflife.date API to fetch EOL dates for nodes in the dependency graph.
Describe alternatives you've considered As far as I can tell, deps.dev does not offer this information.
Additional context The API is currently in alpha, so it may be too early to adopt in GUAC.