search

xeol-io / xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
https://www.xeol.io/
Apache License 2.0
343 stars 18 forks source link

Suppress Findings #390

Open stealthrabbi opened 1 month ago

stealthrabbi commented 1 month ago

Is it possible to suppress an EOL finding? For example, xeol is indicating that the EOL for spring-boot is coming. THere's no newer version to upgrade to, so i want to suppress this. Is that possible? I do not see any documentation on what the configuration file can take.

NAME         VERSION  EOL         DAYS EOL  TYPE         
spring-boot  3.1.5    2024-05-18  100       java-archive
1 error occurred:
        * discovered EOL packages
noqcks commented 1 month ago

this is a good idea. since we dont have a CVE or other stable ID like a vulnerability scanner, we could hijack our fingerprinting logic to use in suppressing findings

https://github.com/xeol-io/xeol/blob/main/xeol/match/fingerprint.go

stealthrabbi commented 1 month ago

Thanks. Just to be clear, this is a capability not possible in xeol currently?

noqcks commented 3 weeks ago

Nope, not currently possible