xeol icon indicating copy to clipboard operation
xeol copied to clipboard
verified publisher icon xeol-io

Better Maven package support

Open kosztyua opened this issue 1 year ago • 6 comments

What would you like to be added: Maven packages seems to completely miss deprecation and end-of-life status. An example here is log4j 1.x, that shows no deprecated versions https://www.xeol.io/explorer/package/Maven/log4j%3Alog4j. Randomly checking it seems Maven packages do not have this correctly recorded, but also I could not find a way to reliable get this from mvnrepository. However, it is correctly recorded on endoflife.date, but that API does not have pURL support currently.

So I assume based on this I would start a brainstorm thread here on how to solve it, I would even contribute code if someone has an idea.

Why is this needed: Almost missed log4j-1.2.17.jar. Xeol does not report it, trivy says "affected" status and grype says "not-fixed" which are often filtered/ignored in productions where scaling is needed

kosztyua avatar Jun 27 '24 13:06 kosztyua

Bump? Any idea? I am happy to contribute code if someone has an idea

kosztyua avatar Jul 10 '24 14:07 kosztyua

So while digging the xeol code I found the UsePURLs: true controlled by the "using-purls" config value. But even setting this false did not bring different results.

kosztyua avatar Jul 18 '24 19:07 kosztyua

For some reason I didn't see this or get notified about this issue.

The reason is the underlying data. Right now we dont collect EOL information for Maven packages. To support this we would need to add this to the data.

I have all the scraping logic for maven central, I just need to add it to our data collection lambdas that run.

noqcks avatar Aug 12 '24 14:08 noqcks

Thank you for the update and no worries 🙏 Will keep an eye out for any updates, we started utilizing your great tool in all our pipelines.

kosztyua avatar Aug 12 '24 19:08 kosztyua

Hi,

Is there any timeline for that? Thanks

eyups avatar Oct 21 '24 15:10 eyups

Hi,

Any update on this?

I just checked and endoflife.date has purl support now and for example log4j has the maven purl reference added https://github.com/endoflife-date/endoflife.date/blob/master/products/log4j.md?plain=1#L19 Now scanning an sbom which has this record should be detected by XEOL, even without any further feature added. I am trying to understand why that is not the case.

{ "bom-ref": "pkg:maven/log4j/[email protected]", "group": "log4j", "hashes": [ { "alg": "SHA-1", "content": "f0a0d2e29ed910808c33135a3a5a51bba6358f7b" } ], "name": "log4j", "properties": [ { "name": "aquasecurity:trivy:FilePath", "value": "opt/zookeeper/contrib/rest/lib/log4j-1.2.15.jar" }, { "name": "aquasecurity:trivy:PkgType", "value": "jar" } ], "purl": "pkg:maven/log4j/[email protected]", "type": "library", "version": "1.2.15" },

kosztyua avatar Mar 21 '25 17:03 kosztyua