Detecting EOL and dead software packages with Trivy

[achantavy]

Hi there, thank you for your work on Trivy! Please review my feature request and let me know if this is already supported (I already searched but I might have missed something).

Scenario

When I scan a container image with Trivy, I would like to know whether a software package on the container is considered EOL so that I don't need to cross-correlate Trivy data against another source. This way I can know if a software package is dead and I should find an alternative.

Cases

I imagine a couple of cases:

[✅] A. Software version 1.0.0 is EOL and all users should upgrade to new major version 2.0.0.
[❓] B. Software version 1.0.0 is EOL and will never be updated ever again.

Case A is already handled by the fixed_version field that Trivy returns -> For example, log4j 1.x is EOL, and in one of my test image scans I see that Trivy suggests that log4j 1.2.6 should be updated to 2.13.2.

Proposal

For Case B, it would be nice to expose a new is_eol / is_no_longer_maintained field or similar on each software package (assuming that the data is available).

Is case B already supported? I imagine that it is a sub-class of --ignore-unfixed; if a vuln is not fixable then I don't need Trivy to tell me about it, but I see detecting dead software as a special case that needs extra handling.

Other asks

I would like this new is_no_longer_maintained field to be shown when the --list-all-pkgs flag is specified too.

Other notes

I see that https://github.com/aquasecurity/trivy/releases/tag/v0.38.0 added an --exit-on-eol feature that crashes with an error when Trivy scans an image with an EOL OS. This is helpful for OS, so I am hoping having some taxonomy on software package data is possible 🤞

Thank you again!

[knqyf263]

Thanks for your suggestion. It is not supported at the moment. We need data sources to indicate which software is at the end of support.

[brennerm]

https://endoflife.date/ could be a good source of information for that.

[topiga]

Some sustainability support (like EOL software) will be added to the CycloneDX spec, as soon as the 1.7 version of the specification (See #400 As said @brennerm, https://endoflife.date/ is a great source of information. Still, I don't find any json/csv file that can be downloaded to have all the software.
EDIT: custom lifecycle properties have been added to the format, here they are : https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/lifecycle.md

[DmitriyLewen]

Still, I don't find any json/csv file that can be downloaded to have all the software.

IIUC they added API for that - https://endoflife.date/docs/api