August 29th | Open Source Gardening | Live Stream

EOL is another worry of a developer (like CVE or license compliance). I think creating a blade which will cover this subject.
today a source which can provide some information is https://endoflife.date/
I checked and they are working on creating even an offline database. I think this direction can be interesting, both on OS distributions or packages.
Maybe it can be part of another tool.
xeol which is an open source based on grype\syft, is not maintained frequently enough.
Taking syft SBOM and sending it to another tool to find EOL can be helpful.
What do you think?

:wave: Hello everyone!

Every Thursday, the Anchore Open Source team runs a live stream to discuss issues, pull requests and future planning in our SBOM and vulnerability tools.

:alarm_clock: Starts at 2024-08-29T19:00:00Z for about an hour.

Expect engineering and project management discussions, a bit of GitHub issue gardening on Syft, Grype, and the rest of the family.

Join us today for a relaxed, educational and productive live stream.

If you’d like to join us on the Zoom call to discuss any relevant topics, DM me right here in Discourse for the link.

Topics

This week we are planning to talk about any new issues marked ‘needs-discussion’ in Syft and Grype

Plus anything else we have time for, and your questions.

Hi!
Would like to hear your opinions on this: Add capability to detect EOL packages and distros · Issue #2083 · anchore/grype · GitHub
and on this:
Squashed all layers by tomersein · Pull Request #3138 · anchore/syft · GitHub

Hey @TimBrown1611 - I moved your comment here, so we can talk about it in the live stream later. thanks!

We did discuss this starting here, starting at 3:49 ending at 24:52. As I recall we all agreed this is a good idea, and would need some more investigation and design work. We’d welcome contributions here.

@willmurphy posted some further thoughts on issue 2083