Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS Matching #33

Merged
merged 6 commits into from
Feb 23, 2023
Merged

OS Matching #33

merged 6 commits into from
Feb 23, 2023

Conversation

noqcks
Copy link
Collaborator

@noqcks noqcks commented Feb 21, 2023

This PR add OS end of life matching. We now have CPE's in endoflife.date we can use, because of this PR. We grab the Distro.CPEName from syft, which picks up the CPE_NAME property in /etc/os-release.

$ xeol -q fedora:29
NAME    VERSION  EOL         DAYS EOL  TYPE
Fedora  29       2019-11-26  1184      os

https://endoflife.date/fedora

There are a couple things to note about this PR:

Signed-off-by: Benji Visser <[email protected]>
Signed-off-by: Benji Visser <[email protected]>
Signed-off-by: Benji Visser <[email protected]>
Signed-off-by: Benji Visser <[email protected]>
Signed-off-by: Benji Visser <[email protected]>
@noqcks
Copy link
Collaborator Author

noqcks commented Feb 22, 2023

@witchcraze wondering if you had any thoughts here. You mentioned that you use an internal mapping to map EOL OS'. Wondering if this solution would be missing anything critical?

Signed-off-by: Benji Visser <[email protected]>
@noqcks noqcks changed the title WIP: OS Matching OS Matching Feb 23, 2023
@noqcks noqcks merged commit 9e2505b into main Feb 23, 2023
@noqcks noqcks deleted the benji/os-matching branch February 23, 2023 03:16
@witchcraze
Copy link

Sorry, my approach was usging "name" and "versionID" .
Some distribution will have several 'name'.
e.g. centos and CentOS, Fedora and Fedora Linux, Amazon Linux and Amazon Linux AMI

I did not check CPE_NAME in /etc/os-release by some reason, but I'll ty to check in our dataset next week and share results.

@witchcraze
Copy link

witchcraze commented Feb 28, 2023

@noqcks

I checked CPE_NAME in /etc/os-release in our environment

  • 95% are no data
  • Show CPE was from RHEL or those rebuild distributions
  • Major CPE patterns are ...
    • cpe:/o:centos:centos:8
    • cpe:/o:rocky:rocky:8:GA
    • cpe:/o:redhat:enterprise_linux:8::baseos
    • cpe:/o:redhat:enterprise_linux:8.1:GA
    • cpe:/o:oracle:linux:8:7:server
    • cpe:2.3:o:amazon:amazon_linux:2

@noqcks
Copy link
Collaborator Author

noqcks commented Feb 28, 2023

Yeah, that's what I've found as well. centos/redhat/amazon_linux/oracle are the main distros using CPE_NAME. I will need to create an OS mapping to get good coverage. Would not be good to miss Debian/Ubuntu/Suse

@noqcks noqcks mentioned this pull request Feb 28, 2023
@noqcks
Copy link
Collaborator Author

noqcks commented Feb 28, 2023

@witchcraze added some speculative OS matching in #40

so it now works for any distro, even if they don't set CPE_NAME

ubuntu

$ go run main.go ubuntu:18.10

NAME    VERSION  EOL         DAYS EOL  TYPE
Ubuntu  18.10    2019-07-18  1321      os

alpine

$  go run main.go alpine:3.9

NAME          VERSION  EOL         DAYS EOL  TYPE
Alpine Linux  3.9.6    2021-01-01  788       os

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants