Better Maven package support

[kosztyua]

What would you like to be added:
Maven packages seems to completely miss deprecation and end-of-life status. An example here is log4j 1.x, that shows no deprecated versions https://www.xeol.io/explorer/package/Maven/log4j%3Alog4j. Randomly checking it seems Maven packages do not have this correctly recorded, but also I could not find a way to reliable get this from mvnrepository. However, it is correctly recorded on endoflife.date, but that API does not have pURL support currently.

So I assume based on this I would start a brainstorm thread here on how to solve it, I would even contribute code if someone has an idea.

Why is this needed:
Almost missed log4j-1.2.17.jar. Xeol does not report it, trivy says "affected" status and grype says "not-fixed" which are often filtered/ignored in productions where scaling is needed

[kosztyua]

Bump? Any idea? I am happy to contribute code if someone has an idea

[kosztyua]

So while digging the xeol code I found the UsePURLs: true controlled by the "using-purls" config value. But even setting this false did not bring different results.

[noqcks]

For some reason I didn't see this or get notified about this issue.

The reason is the underlying data. Right now we dont collect EOL information for Maven packages. To support this we would need to add this to the data.

I have all the scraping logic for maven central, I just need to add it to our data collection lambdas that run.

[kosztyua]

Thank you for the update and no worries 🙏 Will keep an eye out for any updates, we started utilizing your great tool in all our pipelines.

[eyups]

Hi,

Is there any timeline for that? Thanks

[kosztyua]

Hi,

Any update on this?

I just checked and endoflife.date has purl support now and for example log4j has the maven purl reference added https://github.com/endoflife-date/endoflife.date/blob/master/products/log4j.md?plain=1#L19
Now scanning an sbom which has this record should be detected by XEOL, even without any further feature added. I am trying to understand why that is not the case.

{ "bom-ref": "pkg:maven/log4j/log4j@1.2.15", "group": "log4j", "hashes": [ { "alg": "SHA-1", "content": "f0a0d2e29ed910808c33135a3a5a51bba6358f7b" } ], "name": "log4j", "properties": [ { "name": "aquasecurity:trivy:FilePath", "value": "opt/zookeeper/contrib/rest/lib/log4j-1.2.15.jar" }, { "name": "aquasecurity:trivy:PkgType", "value": "jar" } ], "purl": "pkg:maven/log4j/log4j@1.2.15", "type": "library", "version": "1.2.15" },