Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xeol doesn't find postgres 12, but does find postgres 12-alpine #461

Open
tldev-de opened this issue Dec 5, 2024 · 2 comments
Open

xeol doesn't find postgres 12, but does find postgres 12-alpine #461

tldev-de opened this issue Dec 5, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@tldev-de
Copy link

tldev-de commented Dec 5, 2024

What happened:
I scanned two postgres 12 docker images, one (postgres:12-alpine) is showed eol, the other (postgres:12) is not.

What you expected to happen:
I would expect to see both docker images flagged as eol, since postgres 12 is eol.

How to reproduce it (as minimally and precisely as possible):

$ xeol --version
xeol 0.10.1

$ xeol docker:postgres:12-alpine
 ✔ EOL DB                          [no update available]  
 ✔ Scanned for EOL                 [1 eol matches]  
NAME        VERSION  EOL         DAYS EOL  TYPE   
postgresql  12.22    2024-11-21  14        binary

$ xeol docker:postgres:12
 ✔ EOL DB                          [no update available]  
 ✔ Scanned for EOL                 [0 eol matches]  
✅ no EOL software has been found

Anything else we need to know?:

Environment:

  • Output of xeol version: xeol 0.10.1
  • OS (e.g: cat /etc/os-release or similar): KDE neon 6.2 (based on ubuntu 24.04 noble)
@tldev-de tldev-de added the bug Something isn't working label Dec 5, 2024
@noqcks
Copy link
Collaborator

noqcks commented Dec 27, 2024
edited
Loading

unfortunately this is one limitation of the scanner

when I do a scan of the docker image using syft

syft postgres:12 -o cyclonedx-json > postgres12.json

I can see a purl which we could use to identify postgres 12

      "purl": "pkg:deb/debian/[email protected]%2B1?arch=arm64&distro=debian-12&upstream=postgresql-12",

but either the way that debian structures files metadata or the way that syft is constructing the purls makes it so that the name is postgresql-client-12, which is very annoying.

The identifiers for postgres we source from endoflife.date here

We would either need to add purls like this for every version of postgres inside endoflifedates or do custom parsing just for debian postgres installations.

pkg:deb/debian/postgresql-client-xx

@witchcraze
Copy link

Curernt Syft merges detected package and detected binary as default.
Maybe, need to consider output option...

$ syft -q postgres:12 | grep postgres
postgresql-12             12.22-1.pgdg120+1        deb
postgresql-client-12      12.22-1.pgdg120+1        deb
postgresql-client-common  267.pgdg120+1            deb
postgresql-common         267.pgdg120+1            deb

$ syft postgres:12 -q -o json |  jq  '.artifacts[] | select(.name == "postgresql-12") | .purl'
"pkg:deb/debian/[email protected]%2B1?arch=amd64&distro=debian-12"

$ syft  -q postgres:12 --override-default-catalogers "binary" | grep postgres
postgresql                12.22             binary

$ syft postgres:12 -q --override-default-catalogers "binary" -o json |  jq  '.artifacts[] | select(.name == "postgresql") | .purl'
"pkg:generic/[email protected]"

And Syft deals deb packages as packages provided from OS distribution, even if those are from 3rd party package repository
I think xeol need to judge this package is from OS distribution or not.
For example, debian12 does not provide package postgres-12, debian does not provide package with version including pgdg...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noqcks @tldev-de @witchcraze