Closed bisbell-ngc closed 5 months ago
hey @bisbell-ngc thanks for opening this issue!
This is because endoflife.date didn't have identifiers for mysql yet, I've added them in this PR https://github.com/endoflife-date/endoflife.date/pull/4424
Once the PR is merged then the xeol database should be updated within 24 hours and it will detect mysql.
Thank you. In the future should I submit these requests directly to endoflife-data as issues? I have a feeling we're going to run across a lot of these in container images; I don't see many entries in the database for generic or binary purls.
You can submit them here, since it could actually be the case that it's not just endoflife.date that was the problem.
In this case there were actually two problems
Im working on the second one right now.
mysql is now detected in v0.9.11
$ xeol mysql:5.5.42
✔ EOL DB [no update available]
✔ Scanned for EOL [2 eol matches]
NAME VERSION EOL DAYS EOL TYPE
Debian GNU/Linux 7 2016-04-25 2815 os
mysql 5.5.42 2018-12-31 1835 binary
Thanks again for opening all these issues @bisbell-ngc and making the tool better for everyone 🙏
What happened: Not reporting on EOL'ed software in container images.
What you expected to happen: EOL'ed software in container images will be reported.
How to reproduce it (as minimally and precisely as possible):
1: Pull container image with EOL'ed software, and save as tar ball
2: Generate SBOM using syft-json output.
3: Run xeol on SBOM. Expectation is that it would include MySQL 5.5 as an EOL'ed product.
Anything else we need to know?:
Increasing verbosity shows that it is finding MySQL, but the package type is binary.
Other test I have run.
Other container images I have tested. All software versions are listed as EOL'ed on endoflife.date / xeol.db.
MySQL 5.5 EOL on 2018-12-31
nginx 1.23 EOL on 2023-05-23
Environment: All versions of tools are based on container tags.