[bug] Not picking up EOL in nginx:1.21-alpine

Question

[bug] Not picking up EOL in nginx:1.21-alpine

noqcks opened this issue a year ago · comments

What happened:

xeol nginx:1.21-alpine
 ✔ EOL DB                  [updated]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [43 packages]
 ✔ Scanned image           [0 eol]

✅ no EOL software has been found

What you expected to happen:

I expect to see nginx 1.21 be EOL, since it is. It shows up as a package when doing syft output on the image. I believe the reason is because of inadequate matching in xeol. 1.21.6 is stored in the xeol database, but the version string contains an -r1 and is not matching because of this.

nginx                      1.21.6-r1         apk
nginx-module-geoip         1.21.6-r1         apk
nginx-module-image-filter  1.21.6-r1         apk
nginx-module-njs           1.21.6.0.7.3-r1   apk
nginx-module-xslt          1.21.6-r1         apk

How to reproduce it (as minimally and precisely as possible):

xeol nginx:1.21-alpine

Anything else we need to know?:

No

Environment:

Output of xeol version:

Application:          xeol
Version:              0.2.7
Syft Version:         v0.77.0
GitCommit:            1059a82f974122bce8498dec2adc5eefdca65100
Platform:             darwin/arm64
GoVersion:            go1.18.10
Compiler:             gc

Benji Visser · Answer 1 · Thu May 04 2023 02:23:49 GMT+0800 (China Standard Time)

This turned out to be an issue with lack of purl in endoflife.date

endoflife-date/endoflife.date#2940