guacsec · robert-cronin · Jan 28, 2025 · Jan 28, 2025
diff --git a/demo/graphql/queries.gql b/demo/graphql/queries.gql
@@ -291,4 +291,15 @@ query CertifyLegalQ1 {
     CertifyLegal(certifyLegalSpec: {subject: {package: {name: "log4j-core"} } }) @filter(keyName: "collector", operation: CONTAINS, value: "clearlydefined") {
         ...allCertifyLegalTree
     }
+}
+
+
+query EndOfLifeQ1 {
+    HasMetadata(hasMetadataSpec: {subject: {package: {type: "deb", namespace: "debian", name: "openssl", version: "1.1.1n-0+deb11u3"}}}) @filter(keyName: "key", operation: CONTAINS, value: "endoflife") {
+        subject {
+            ...allPkgTree
+        }
+    		key
+    		value
+    }
 }
diff --git a/internal/testing/e2e/e2e b/internal/testing/e2e/e2e
@@ -97,13 +97,13 @@ wipe_data() {
   fi
 }
 
-go run ${GUAC_DIR}"/cmd/guacingest" --add-vuln-on-ingest=true --add-license-on-ingest &
+go run ${GUAC_DIR}"/cmd/guacingest" --add-vuln-on-ingest=true --add-license-on-ingest --add-eol-on-ingest &
 go run ${GUAC_DIR}"/cmd/guacone" collect deps_dev -p &
 go run ${GUAC_DIR}"/cmd/guaccsub" &
 
 # Define ingestion commands
 declare -a ingestion_commands=(
-  "go run ${GUAC_DIR}/cmd/guacone collect files ${GUAC_DIR}/guac-data/docs/ --add-vuln-on-ingest=true --add-license-on-ingest"
+  "go run ${GUAC_DIR}/cmd/guacone collect files ${GUAC_DIR}/guac-data/docs/ --add-vuln-on-ingest=true --add-license-on-ingest --add-eol-on-ingest"
   "go run ${GUAC_DIR}/cmd/guaccollect files ${GUAC_DIR}/guac-data/docs/ --service-poll=false"
 )
 
@@ -121,6 +121,12 @@ queryValues["CertifyVulnQ1"]='del(.. | .id?) | del(.. | .timeScanned?)'
 queryValues["ArtifactsQ1"]='.artifacts |= sort'
 queryValues["PkgQ9"]='.packages[].namespaces |= sort_by(.namespace) | .packages[].namespaces[].names[].versions |= sort_by(.id) | .packages[].namespaces[].names[].versions[].qualifiers |= sort_by(.key) | del(.. | .id?)'
 queryValues["CertifyLegalQ1"]='del(.. | .id?) | del(.. | .timeScanned?) | del(.. | .origin?)'
+queryValues["EndOfLifeQ1"]='
+  (.HasMetadata[] | select(.key == "endoflife") | .subject.namespaces[].names[].versions[].qualifiers) |= sort_by(.key)
+  | del(.. | .id?)
+  | del(.. | .timeScanned?)
+  | del(.. | .origin?)
+'
 
 # Define an indexed array to maintain the order of the queries
 queryOrder=(
@@ -136,6 +142,7 @@ queryOrder=(
   "ArtifactsQ1"
   "PkgQ9"
   "CertifyLegalQ1"
+  "EndOfLifeQ1"
 )
 
 queries="${GUAC_DIR}/demo/graphql/queries.gql"

diff --git a/internal/testing/e2e/expectEndOfLifeQ1.json b/internal/testing/e2e/expectEndOfLifeQ1.json
@@ -0,0 +1,72 @@
+{
+  "HasMetadata": [
+    {
+      "subject": {
+        "type": "deb",
+        "namespaces": [
+          {
+            "namespace": "debian",
+            "names": [
+              {
+                "name": "openssl",
+                "versions": [
+                  {
+                    "purl": "pkg:deb/debian/[email protected]%2Bdeb11u3?arch=amd64&distro=debian-11",
+                    "version": "1.1.1n-0+deb11u3",
+                    "qualifiers": [
+                      {
+                        "key": "arch",
+                        "value": "amd64"
+                      },
+                      {
+                        "key": "distro",
+                        "value": "debian-11"
+                      }
+                    ],
+                    "subpath": ""
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "key": "endoflife",
+      "value": "product:openssl,cycle:1.1.1,version:1.1.1n-0+deb11u3,isEOL:true,eolDate:2023-09-11,lts:true,latest:1.1.1w,releaseDate:2018-09-11"
+    },
+    {
+      "subject": {
+        "type": "deb",
+        "namespaces": [
+          {
+            "namespace": "debian",
+            "names": [
+              {
+                "name": "openssl",
+                "versions": [
+                  {
+                    "purl": "pkg:deb/debian/[email protected]%2Bdeb11u3?arch=arm64&distro=debian-11",
+                    "version": "1.1.1n-0+deb11u3",
+                    "qualifiers": [
+                      {
+                        "key": "arch",
+                        "value": "arm64"
+                      },
+                      {
+                        "key": "distro",
+                        "value": "debian-11"
+                      }
+                    ],
+                    "subpath": ""
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "key": "endoflife",
+      "value": "product:openssl,cycle:1.1.1,version:1.1.1n-0+deb11u3,isEOL:true,eolDate:2023-09-11,lts:true,latest:1.1.1w,releaseDate:2018-09-11"
+    }
+  ]
+}
@@ -168,10 +168,8 @@ func (b *EntBackend) FindPackagesThatNeedScanning(ctx context.Context, queryType
 			Aggregate(func(s *sql.Selector) string {
 				t := sql.Table(hasmetadata.Table)
 				s.LeftJoin(t).On(s.C(packageversion.FieldID), t.C(hasmetadata.FieldPackageVersionID))
-				s.Where(sql.And(
-					sql.NotNull(t.C(hasmetadata.FieldTimestamp)),
-					sql.EQ(t.C(hasmetadata.FieldKey), "endoflife"),
-				))
+				// only consider "endoflife" metadata
+				s.Where(sql.EQ(t.C(hasmetadata.FieldKey), "endoflife"))
 				return sql.As(sql.Max(t.C(hasmetadata.FieldTimestamp)), "max")
 			}).
 			Scan(ctx, &pkgLatestScan)

@@ -435,25 +435,21 @@ func (c *demoClient) FindPackagesThatNeedScanning(ctx context.Context, queryType
 								pkgIDs = append(pkgIDs, pkgVer.ThisID)
 							}
 						} else { // queryType == model.QueryTypeEol via hasMetadataLink
+							// we only want packages *without* any endoflife entry
+							eolFound := false
 							if len(pkgVer.HasMetadataLinks) > 0 {
-								var timeScanned []time.Time
 								for _, hasMetadataLinkID := range pkgVer.HasMetadataLinks {
 									link, err := byIDkv[*hasMetadataLink](ctx, hasMetadataLinkID, c)
 									if err != nil {
 										continue
 									}
-									// only pick endoflife metadata
-									if link.MDKey != "endoflife" {
-										continue
+									if link.MDKey == "endoflife" {
+										eolFound = true
+										break
 									}
-									timeScanned = append(timeScanned, link.Timestamp)
 								}
-								lastScanTime := latestTime(timeScanned)
-								lastIntervalTime := time.Now().Add(time.Duration(-*lastScan) * time.Hour).UTC()
-								if lastScanTime.Before(lastIntervalTime) {
-									pkgIDs = append(pkgIDs, pkgVer.ThisID)
-								}
-							} else {
+							}
+							if !eolFound {
 								pkgIDs = append(pkgIDs, pkgVer.ThisID)
 							}
 						}

diff --git a/pkg/certifier/eol/eol.go b/pkg/certifier/eol/eol.go
@@ -23,12 +23,15 @@ import (
 	"strings"
 	"time"
 
+	"github.com/guacsec/guac/pkg/assembler/clients/generated"
+	"github.com/guacsec/guac/pkg/assembler/helpers"
 	"github.com/guacsec/guac/pkg/certifier"
 	"github.com/guacsec/guac/pkg/certifier/attestation"
 	"github.com/guacsec/guac/pkg/certifier/components/root_package"
 	"github.com/guacsec/guac/pkg/clients"
 	"github.com/guacsec/guac/pkg/events"
 	"github.com/guacsec/guac/pkg/handler/processor"
+	"github.com/guacsec/guac/pkg/logging"
 	"github.com/guacsec/guac/pkg/version"
 	attestationv1 "github.com/in-toto/attestation/go/v1"
 	"golang.org/x/time/rate"
@@ -199,6 +202,8 @@ func (e *eolCertifier) CertifyComponent(ctx context.Context, rootComponent inter
 }
 
 func EvaluateEOLResponse(ctx context.Context, client *http.Client, purls []string, docChannel chan<- *processor.Document) ([]*processor.Document, error) {
+	logger := logging.FromContext(ctx)
+
 	packMap := map[string]bool{}
 	var generatedEOLDocs []*processor.Document
 
@@ -215,8 +220,15 @@ func EvaluateEOLResponse(ctx context.Context, client *http.Client, purls []strin
 			continue
 		}
 
-		product, found := findMatchingProduct(purl, products)
+		pkgInput, err := helpers.PurlToPkg(purl)
+		if err != nil {
+			logger.Debugf("failed to convert PURL to PkgInput: %v", err)
+			continue
+		}
+
+		product, found := findMatchingProduct(pkgInput, products)
 		if !found {
+			logger.Debugf("no matching product found for %s", purl)
 			continue
 		}
 
@@ -225,69 +237,72 @@ func EvaluateEOLResponse(ctx context.Context, client *http.Client, purls []strin
 			return nil, fmt.Errorf("failed to fetch EOL data for %s: %w", product, err)
 		}
 
-		cycle, version := extractCycleAndVersion(purl)
+		if pkgInput.Version == nil || *pkgInput.Version == "" {
+			logger.Debugf("no version found for %s", purl)
+			continue
+		}
+		version := *pkgInput.Version
+
 		var relevantCycle *CycleData
 		for i := range eolData {
-			if eolData[i].Cycle == cycle {
+			// assuming the version might contain other modifiers in addition to the cycle (e.g. "1.1.1n-0+deb11u3" for cycle "1.1.1")
+			if strings.HasPrefix(version, eolData[i].Cycle) {
 				relevantCycle = &eolData[i]
 				break
 			}
 		}
 
-		if relevantCycle == nil && len(eolData) > 0 {
-			// If no matching cycle is found, use the latest (first in the list)
-			relevantCycle = &eolData[0]
+		if relevantCycle == nil {
+			logger.Debugf("no cycle found for %s", purl)
+			continue
 		}
 
-		if relevantCycle != nil {
-			currentTime := time.Now()
-
-			// Get EOL status and date
-			isEOL := relevantCycle.EOL.Bool()
-			eolDateStr := relevantCycle.EOL.String()
-
-			statement := &attestation.EOLStatement{
-				Statement: attestationv1.Statement{
-					Type:          attestationv1.StatementTypeUri,
-					PredicateType: attestation.PredicateEOL,
-					Subject:       []*attestationv1.ResourceDescriptor{{Uri: purl}},
-				},
-				Predicate: attestation.EOLPredicate{
-					Product:     product,
-					Cycle:       relevantCycle.Cycle,
-					Version:     version,
-					IsEOL:       isEOL,
-					EOLDate:     eolDateStr,
-					LTS:         relevantCycle.LTS.Bool(),
-					Latest:      relevantCycle.Latest,
-					ReleaseDate: relevantCycle.ReleaseDate,
-					Metadata: attestation.EOLMetadata{
-						ScannedOn: &currentTime,
-					},
+		// Get EOL status and date
+		isEOL := relevantCycle.EOL.Bool()
+		eolDateStr := relevantCycle.EOL.String()
+
+		currentTime := time.Now().UTC()
+		statement := &attestation.EOLStatement{
+			Statement: attestationv1.Statement{
+				Type:          attestationv1.StatementTypeUri,
+				PredicateType: attestation.PredicateEOL,
+				Subject:       []*attestationv1.ResourceDescriptor{{Uri: purl}},
+			},
+			Predicate: attestation.EOLPredicate{
+				Product:     product,
+				Cycle:       relevantCycle.Cycle,
+				Version:     version,
+				IsEOL:       isEOL,
+				EOLDate:     eolDateStr,
+				LTS:         relevantCycle.LTS.Bool(),
+				Latest:      relevantCycle.Latest,
+				ReleaseDate: relevantCycle.ReleaseDate,
+				Metadata: attestation.EOLMetadata{
+					ScannedOn: &currentTime,
 				},
-			}
+			},
+		}
 
-			payload, err := json.Marshal(statement)
-			if err != nil {
-				return nil, fmt.Errorf("unable to marshal attestation: %w", err)
-			}
+		payload, err := json.Marshal(statement)
+		if err != nil {
+			return nil, fmt.Errorf("unable to marshal attestation: %w", err)
+		}
 
-			doc := &processor.Document{
-				Blob:   payload,
-				Type:   processor.DocumentITE6EOL,
-				Format: processor.FormatJSON,
-				SourceInformation: processor.SourceInformation{
-					Collector:   EOLCollector,
-					Source:      EOLCollector,
-					DocumentRef: events.GetDocRef(payload),
-				},
-			}
+		doc := &processor.Document{
+			Blob:   payload,
+			Type:   processor.DocumentITE6EOL,
+			Format: processor.FormatJSON,
+			SourceInformation: processor.SourceInformation{
+				Collector:   EOLCollector,
+				Source:      EOLCollector,
+				DocumentRef: events.GetDocRef(payload),
+			},
+		}
 
-			if docChannel != nil {
-				docChannel <- doc
-			}
-			generatedEOLDocs = append(generatedEOLDocs, doc)
+		if docChannel != nil {
+			docChannel <- doc
 		}
+		generatedEOLDocs = append(generatedEOLDocs, doc)
 
 		packMap[purl] = true
 	}
@@ -393,36 +408,14 @@ func fetchProductEOL(ctx context.Context, client *http.Client, product string) (
 	return eolData, nil
 }
 
-func findMatchingProduct(purl string, products []string) (string, bool) {
-	parts := strings.Split(purl, "/")
-	if len(parts) < 2 {
-		return "", false
-	}
-
-	packageName := strings.Split(parts[1], "@")[0]
-	packageName = strings.ToLower(packageName)
+func findMatchingProduct(pkgInput *generated.PkgInputSpec, products []string) (string, bool) {
+	packageName := strings.ToLower(pkgInput.Name)
 
 	for _, product := range products {
-		if strings.Contains(packageName, product) || strings.Contains(product, packageName) {
+		if product == packageName {
 			return product, true
 		}
 	}
 
 	return "", false
 }
-
-func extractCycleAndVersion(purl string) (string, string) {
-	parts := strings.Split(purl, "@")
-	if len(parts) < 2 {
-		return "", ""
-	}
-
-	version := parts[1]
-	versionParts := strings.Split(version, ".")
-
-	if len(versionParts) > 0 {
-		return versionParts[0], version
-	}
-
-	return "", version
-}
diff --git a/pkg/ingestor/parser/common/scanner/scanner_test.go b/pkg/ingestor/parser/common/scanner/scanner_test.go
@@ -555,7 +555,7 @@ func TestPurlsEOLScan(t *testing.T) {
 						PkgMatchFlag: generated.MatchFlags{Pkg: generated.PkgMatchTypeSpecificVersion},
 						HasMetadata: &generated.HasMetadataInputSpec{
 							Key:           "endoflife",
-							Value:         "product:python,cycle:3.13,version:3.9.5,isEOL:false,eolDate:2029-10-31,lts:false,latest:3.13.0,releaseDate:2024-10-07",
+							Value:         "product:python,cycle:3.9,version:3.9.5,isEOL:false,eolDate:2025-10-31,lts:false,latest:3.9.21,releaseDate:2020-10-05",
 							Justification: "Retrieved from endoflife.date",
 							Origin:        "GUAC EOL Certifier",
 							Collector:     "GUAC",
@@ -616,7 +616,7 @@ func TestPurlsEOLScan(t *testing.T) {
 						PkgMatchFlag: generated.MatchFlags{Pkg: generated.PkgMatchTypeSpecificVersion},
 						HasMetadata: &generated.HasMetadataInputSpec{
 							Key:           "endoflife",
-							Value:         "product:python,cycle:3.13,version:3.9.5,isEOL:false,eolDate:2029-10-31,lts:false,latest:3.13.0,releaseDate:2024-10-07",
+							Value:         "product:python,cycle:3.9,version:3.9.5,isEOL:false,eolDate:2025-10-31,lts:false,latest:3.9.21,releaseDate:2020-10-05",
 							Justification: "Retrieved from endoflife.date",
 							Origin:        "GUAC EOL Certifier",
 							Collector:     "GUAC",