guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] Add support for endoflife.date

Open funnelfiasco opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. endoflife.date tracks information about when versions reach the end of supported life. This is useful information to include in the understanding of the supply chain. Knowing which dependencies are (or soon will be) unsupported can be an important part of proactively reducing risk.

Describe the solution you'd like Use the endoflife.date API to fetch EOL dates for nodes in the dependency graph.

Describe alternatives you've considered As far as I can tell, deps.dev does not offer this information.

Additional context The API is currently in alpha, so it may be too early to adopt in GUAC.

funnelfiasco avatar Jul 18 '24 20:07 funnelfiasco

We took a look at the API of endoflife.date, and it looks like this would be a good first issue to run a certifier.

  • Run about every ~14 days
  • Will look up all products in https://endoflife.date/api/all.json (via https://endoflife.date/docs/api)
  • For each product, query Package where name in the list, map them to https://endoflife.date /api/{product}.json and map versions accordingly
  • Create HasMetadata entries for each of them

Two pieces of has metadata info

  • Is EOL? - is this EOL today?
  • EOL date - if exists

Note that some don't have EOL dates, but just says "EOL": true or false. Consumption for these would likely will be HasMetadata of something being supported. Consumption may also be an alerting flow of change in metadata (be via some policy engine).

Open Questions:

  • How do some of these non-open source products appear in other tools. For example, windows. Do we need to match them towards CPEs?

lumjjb avatar Aug 19 '24 15:08 lumjjb

I'd love to give this one a go if no one else has started already.

My first impression is that this would involve something similar to pkg/certifier/clearlydefined/clearlydefined.go, however I am not too sure how the HasMetadata entries mentioned above get added.

Any pointers or guidance on which parts of GUAC might be good reference would be much appreciated!

robert-cronin avatar Oct 18 '24 06:10 robert-cronin

I'd love to give this one a go if no one else has started already.

My first impression is that this would involve something similar to pkg/certifier/clearlydefined/clearlydefined.go, however I am not too sure how the HasMetadata entries mentioned above get added.

Any pointers or guidance on which parts of GUAC might be good reference would be much appreciated!

Yes that is correct, using the clearlydefined certifier is a good example and will function similarly.

As for the HasMetadata, you can find an example of that usage here in the SPDX Parser (used to store CPEs):

https://github.com/guacsec/guac/blob/1a04f1399485a1ada505496ec9445d3b1ef4bc47/pkg/ingestor/parser/spdx/parse_spdx.go#L405-L424

Let us know if you have more questions!

pxp928 avatar Oct 18 '24 11:10 pxp928