xeol-io/xeol

xeol doesn't find postgres 12, but does find postgres 12-alpine

Opened this issue · 2 comments

tldev-de commented

What happened:
I scanned two postgres 12 docker images, one (postgres:12-alpine) is showed eol, the other (postgres:12) is not.

What you expected to happen:
I would expect to see both docker images flagged as eol, since postgres 12 is eol.

How to reproduce it (as minimally and precisely as possible):

$ xeol --version
xeol 0.10.1

$ xeol docker:postgres:12-alpine
 ✔ EOL DB                          [no update available]  
 ✔ Scanned for EOL                 [1 eol matches]  
NAME        VERSION  EOL         DAYS EOL  TYPE   
postgresql  12.22    2024-11-21  14        binary

$ xeol docker:postgres:12
 ✔ EOL DB                          [no update available]  
 ✔ Scanned for EOL                 [0 eol matches]  
✅ no EOL software has been found

Anything else we need to know?:

Environment:

  • Output of xeol version: xeol 0.10.1
  • OS (e.g: cat /etc/os-release or similar): KDE neon 6.2 (based on ubuntu 24.04 noble)
noqcks commented

unfortunately this is one limitation of the scanner

when I do a scan of the docker image using syft

syft postgres:12 -o cyclonedx-json > postgres12.json

I can see a purl which we could use to identify postgres 12

      "purl": "pkg:deb/debian/postgresql-client-12@12.22-1.pgdg120%2B1?arch=arm64&distro=debian-12&upstream=postgresql-12",

but either the way that debian structures files metadata or the way that syft is constructing the purls makes it so that the name is postgresql-client-12, which is very annoying.

The identifiers for postgres we source from endoflife.date here

We would either need to add purls like this for every version of postgres inside endoflifedates or do custom parsing just for debian postgres installations.

pkg:deb/debian/postgresql-client-xx
witchcraze commented

Curernt Syft merges detected package and detected binary as default.
Maybe, need to consider output option...

$ syft -q postgres:12 | grep postgres
postgresql-12             12.22-1.pgdg120+1        deb
postgresql-client-12      12.22-1.pgdg120+1        deb
postgresql-client-common  267.pgdg120+1            deb
postgresql-common         267.pgdg120+1            deb

$ syft postgres:12 -q -o json |  jq  '.artifacts[] | select(.name == "postgresql-12") | .purl'
"pkg:deb/debian/postgresql-12@12.22-1.pgdg120%2B1?arch=amd64&distro=debian-12"

$ syft  -q postgres:12 --override-default-catalogers "binary" | grep postgres
postgresql                12.22             binary

$ syft postgres:12 -q --override-default-catalogers "binary" -o json |  jq  '.artifacts[] | select(.name == "postgresql") | .purl'
"pkg:generic/postgresql@12.22"

And Syft deals deb packages as packages provided from OS distribution, even if those are from 3rd party package repository
I think xeol need to judge this package is from OS distribution or not.
For example, debian12 does not provide package postgres-12, debian does not provide package with version including pgdg...