xeol: scanner for end-of-life software in container images, filesystems, and SBOMs

xeol

A scanner for end-of-life (EOL) packages in container images, filesystems, and SBOMs

What is EOL software?

End of Life (EOL) means the vendor has decided the software in question has reached the end of its “useful lifespan.” After this particular date, the manufacturer no longer markets sells, provides technical support, sustains, enhances, or fixes the product. Note that End of Life (EOL) and End of Support (EOS) are being treated as the same by xeol, even though various vendors may use these terms differently. EOL Software is a security risk because it is no longer being maintained and receiving security updates.

The data that xeol uses to determine if a package is EOL is sourced from endoflife.date. While endoflife.date includes extended support dates, xeol does not currently support this and we only match on the standard EOL support dates from vendors.

xeol’s database

When xeol performs a scan for EOL packages, it does so using a database that’s stored on your local filesystem, which is constructed by pulling data from endoflife.date.

By default, xeol automatically manages this database for you. xeol checks for new updates to the database to make sure that every scan uses up-to-date EOL information. This behavior is configurable. For more information, see the Managing xeeol’s database section.

How database updates work

xeol’s eol database is a SQLite file, named xeol.db. Updates to the database are atomic: the entire database is replaced and then treated as “readonly” by xeol.

xeol’s first step in a database update is discovering databases that are available for retrieval. xeol does this by requesting a “listing file” from a public endpoint:

https://data.xeol.io/xeol/databases/listing.json

The listing file contains entries for every database that’s available for download.

Here’s an example of an entry in the listing file:

{
  "built": "2021-10-21T08:13:41Z",
  "version": 3,
  "url": "https://data.xeol.io/xeol/databases/eol-db_v3_2021-10-21T08:13:41Z.tar.gz",
  "checksum": "sha256:8c99fb4e516f10b304f026267c2a73a474e2df878a59bf688cfb0f094bfe7a91"
}

With this information, xeol can select the correct database (the most recently built database with the current schema version), download the database, and verify the database’s integrity using the listed checksum value.

Install & Use

Copyright (C) 2023 xeol-io