Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not finding EOL'ed version of prometheus #382

Closed
tuxdevnow opened this issue Aug 1, 2024 · 3 comments
Closed

Not finding EOL'ed version of prometheus #382

tuxdevnow opened this issue Aug 1, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@tuxdevnow
Copy link

What happened:
xeol did not find EOL software in prometheus image version 2.51.2 which is EOL according to https://endoflife.date/prometheus

What you expected to happen:
xeol should have reported EOL software

How to reproduce it (as minimally and precisely as possible):
xeol prom/prometheus:v2.51.2 --scope all-layers

Anything else we need to know?:
DB used was https://data.xeol.io/xeol/databases/xeol-db_v1_2024-08-01T03:51:15.983978Z.tar.gz as reported by xeol in verbose mode
Thanks for the support =)

Environment:
@tuxdevnow tuxdevnow added the bug Something isn't working label Aug 1, 2024
@noqcks
Copy link
Collaborator

noqcks commented Aug 2, 2024

this is unfortunately an issue with syft for image you mentioned

if you run syft prom/prometheus:v2.51.2 -o json > prom.json there is no component found which has a purl resembling prometheus that we can use to match. I think this is likely because Prometheus is installed in this container via a binary and syft does not have a binary matcher for prometheus yet

@noqcks noqcks closed this as completed Aug 2, 2024
@BrewTestBot BrewTestBot mentioned this issue Aug 12, 2024
Merged
@sherif84
Copy link

sherif84 commented Sep 25, 2024
edited
Loading

seeing the same issue , but running syft i'm seeing prometheus purl go packages listed , see below ?

syft prom/prometheus:v2.51.2 -o json | jq | grep purl | grep prom
 ✔ Loaded image                                                                                                            prom/prometheus:v2.51.2
 ✔ Parsed image                                                            sha256:051cb67876a609e838c4be62bf88348ba896b8411d17b3221743a1d31466a114
 ✔ Cataloged contents                                                             77c3669c321ad39ae016fc3174ab5ed5b181e71de94417d5f56805abf71f9f73
   ├── ✔ Packages                        [337 packages]
   └── ✔ Executables                     [4 executables]
      "purl": "pkg:golang/github.com/prometheus/alertmanager@v0.27.0",
      "purl": "pkg:golang/github.com/prometheus/alertmanager@v0.27.0",
      "purl": "pkg:golang/github.com/prometheus/client_golang@v1.19.0",
      "purl": "pkg:golang/github.com/prometheus/client_golang@v1.19.0",
      "purl": "pkg:golang/github.com/prometheus/client_model@v0.6.0",
      "purl": "pkg:golang/github.com/prometheus/client_model@v0.6.0",
      "purl": "pkg:golang/github.com/prometheus/common@v0.49.1-0.20240306132007-4199f18c3e92",
      "purl": "pkg:golang/github.com/prometheus/common@v0.49.1-0.20240306132007-4199f18c3e92",
      "purl": "pkg:golang/github.com/prometheus/common@v0.2.0#assets",
      "purl": "pkg:golang/github.com/prometheus/common@v0.1.0#sigv4",
      "purl": "pkg:golang/github.com/prometheus/common@v0.1.0#sigv4",
      "purl": "pkg:golang/github.com/prometheus/exporter-toolkit@v0.11.0",
      "purl": "pkg:golang/github.com/prometheus/exporter-toolkit@v0.11.0",
      "purl": "pkg:golang/github.com/prometheus/procfs@v0.12.0",
      "purl": "pkg:golang/github.com/prometheus/procfs@v0.12.0",
      "purl": "pkg:golang/github.com/prometheus/prometheus@v2.51.2",
      "purl": "pkg:golang/github.com/prometheus/prometheus@v2.51.2",

Version

`xeol prom/prometheus:v2.51.2 --scope all-layers
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [0 eol matches]
✅ no EOL software has been found

xeol version

Application:         xeol
Version:             0.10.0
BuildDate:           2024-08-12T14:30:28Z
GitCommit:           fc266941eba8c5922c37756f727e286be747c0da
GitDescription:      v0.10.0
Platform:            linux/amd64
GoVersion:           go1.22.6
Compiler:            gc
Syft Version:        v1.10.0
Supported DB Schema: 1`

Syft

`
syft version
Application: syft
Version:    1.13.0
BuildDate:  2024-09-24T13:28:58Z
GitCommit:  01de99b25304ec95197c00b21d698f127b31a887
GitDescription: v1.13.0
Platform:   linux/amd64
GoVersion:  go1.22.7
Compiler:   gc
`

@sherif84
Copy link

sherif84 commented Oct 3, 2024

@noqcks as an FYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noqcks @sherif84 @tuxdevnow