What would you like to be added:
Maven packages seems to completely miss deprecation and end-of-life status. An example here is log4j 1.x, that shows no deprecated versions https://www.xeol.io/explorer/package/Maven/log4j%3Alog4j. Randomly checking it seems Maven packages do not have this correctly recorded, but also I could not find a way to reliable get this from mvnrepository. However, it is correctly recorded on endoflife.date, but that API does not have pURL support currently.
So I assume based on this I would start a brainstorm thread here on how to solve it, I would even contribute code if someone has an idea.
Why is this needed:
Almost missed log4j-1.2.17.jar. Xeol does not report it, trivy says "affected" status and grype says "not-fixed" which are often filtered/ignored in productions where scaling is needed
What would you like to be added: Maven packages seems to completely miss deprecation and end-of-life status. An example here is log4j 1.x, that shows no deprecated versions https://www.xeol.io/explorer/package/Maven/log4j%3Alog4j. Randomly checking it seems Maven packages do not have this correctly recorded, but also I could not find a way to reliable get this from mvnrepository. However, it is correctly recorded on endoflife.date, but that API does not have pURL support currently.
So I assume based on this I would start a brainstorm thread here on how to solve it, I would even contribute code if someone has an idea.
Why is this needed: Almost missed log4j-1.2.17.jar. Xeol does not report it, trivy says "affected" status and grype says "not-fixed" which are often filtered/ignored in productions where scaling is needed