Not finding EOL'ed version of prometheus
tuxdevnow opened this issue · 3 comments
What happened:
xeol did not find EOL software in prometheus image version 2.51.2 which is EOL according to https://endoflife.date/prometheus
What you expected to happen:
xeol should have reported EOL software
How to reproduce it (as minimally and precisely as possible):
xeol prom/prometheus:v2.51.2 --scope all-layers
Anything else we need to know?:
DB used was https://data.xeol.io/xeol/databases/xeol-db_v1_2024-08-01T03:51:15.983978Z.tar.gz as reported by xeol in verbose mode
Thanks for the support =)
Environment:
-
Output of
xeol version:
$ xeol version
Application: xeol
Version: 0.9.15
BuildDate: 2024-04-27T01:18:39Z
GitCommit: d60c12a
GitDescription: v0.9.15
Platform: linux/amd64
GoVersion: go1.21.9
Compiler: gc
Syft Version: v0.92.0
Supported DB Schema: 1 -
OS (e.g:
cat /etc/os-releaseor similar):
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
this is unfortunately an issue with syft for image you mentioned
if you run syft prom/prometheus:v2.51.2 -o json > prom.json there is no component found which has a purl resembling prometheus that we can use to match. I think this is likely because Prometheus is installed in this container via a binary and syft does not have a binary matcher for prometheus yet
seeing the same issue , but running syft i'm seeing prometheus purl go packages listed , see below ?
syft prom/prometheus:v2.51.2 -o json | jq | grep purl | grep prom
✔ Loaded image prom/prometheus:v2.51.2
✔ Parsed image sha256:051cb67876a609e838c4be62bf88348ba896b8411d17b3221743a1d31466a114
✔ Cataloged contents 77c3669c321ad39ae016fc3174ab5ed5b181e71de94417d5f56805abf71f9f73
├── ✔ Packages [337 packages]
└── ✔ Executables [4 executables]
"purl": "pkg:golang/github.com/prometheus/alertmanager@v0.27.0",
"purl": "pkg:golang/github.com/prometheus/alertmanager@v0.27.0",
"purl": "pkg:golang/github.com/prometheus/client_golang@v1.19.0",
"purl": "pkg:golang/github.com/prometheus/client_golang@v1.19.0",
"purl": "pkg:golang/github.com/prometheus/client_model@v0.6.0",
"purl": "pkg:golang/github.com/prometheus/client_model@v0.6.0",
"purl": "pkg:golang/github.com/prometheus/common@v0.49.1-0.20240306132007-4199f18c3e92",
"purl": "pkg:golang/github.com/prometheus/common@v0.49.1-0.20240306132007-4199f18c3e92",
"purl": "pkg:golang/github.com/prometheus/common@v0.2.0#assets",
"purl": "pkg:golang/github.com/prometheus/common@v0.1.0#sigv4",
"purl": "pkg:golang/github.com/prometheus/common@v0.1.0#sigv4",
"purl": "pkg:golang/github.com/prometheus/exporter-toolkit@v0.11.0",
"purl": "pkg:golang/github.com/prometheus/exporter-toolkit@v0.11.0",
"purl": "pkg:golang/github.com/prometheus/procfs@v0.12.0",
"purl": "pkg:golang/github.com/prometheus/procfs@v0.12.0",
"purl": "pkg:golang/github.com/prometheus/prometheus@v2.51.2",
"purl": "pkg:golang/github.com/prometheus/prometheus@v2.51.2",
Version
`xeol prom/prometheus:v2.51.2 --scope all-layers
✔ EOL DB [no update available]
✔ Scanned for EOL [0 eol matches]
✅ no EOL software has been found
xeol version
Application: xeol
Version: 0.10.0
BuildDate: 2024-08-12T14:30:28Z
GitCommit: fc266941eba8c5922c37756f727e286be747c0da
GitDescription: v0.10.0
Platform: linux/amd64
GoVersion: go1.22.6
Compiler: gc
Syft Version: v1.10.0
Supported DB Schema: 1`
Syft
`
syft version
Application: syft
Version: 1.13.0
BuildDate: 2024-09-24T13:28:58Z
GitCommit: 01de99b25304ec95197c00b21d698f127b31a887
GitDescription: v1.13.0
Platform: linux/amd64
GoVersion: go1.22.7
Compiler: gc
`