EOL of traefik no more detected

[jgraglia]

What happened:
when analyzing a SBOM with a traefik 3.1. 2 purl, EOL is no more detected with last version of xeol & db

What you expected to happen:
Traefik 3.1.2 is eol and should me detected by xeol
On January 17, I analyze a test sbom declaring a traefik v 3.1.2 component. As expected xeol detected the EOL of traefik 3.1.x

Today, after xeol update & db update, the analysis does not detect the eol anymore.

How to reproduce it (as minimally and precisely as possible):

xeol sbom:eol-traefik-3.1.2.cdx.json

see eol-traefik-3.1.2.cdx.json

Anything else we need to know?:
I search in the xeol db :

sqlite3 ~/.cache/xeol/db/1/xeol.db 'select * from purls where purl like "%traefik%" order by purl;'

in the last db it give me many purls but only some targetting pkg:golang/github.com%2Ftraefik%2Fyaegi or pkg:golang/github.com%2Ftraefik%2Fpaerser

With the db from 2025-01-17 the output is only 2 purls

sqlite3 ~/Downloads/xeol-db_v1_2025-01-17T03_51_15.516595Z/xeol.db 'select * from purls where purl like "%traefik%";'
918|pkg:brew/traefik|317
919|pkg:github/traefik/traefik|317

pkg:github/traefik/traefik seems to be the valid purl for traefik => see eol config for traefik :https://github.com/endoflife-date/endoflife.date/blob/master/products/traefik.md?plain=1#L17

so I wonder why this purl is missing ? and the / seems to be encoded now

I also find this blogpost https://www.herodevs.com/blog-posts/herodevs-acquires-xeol-to-help-users-of-end-of-life-open-source-software-secure-their-applications-and-protect-their-data : may be sth happens to the opensource db ?

Thanks for your help

Environment:

• Output of xeol version: `xeol 0.10.7\
• OS (e.g: cat /etc/os-release or similar): Ubuntu 24.04.2 LTS
• xeol db status :

xeol db status 
Location:  ~/.cache/xeol/db/1
Built:     2025-02-21 00:00:45.348326 +0000 UTC
Schema:    1
Checksum:  sha256:97a832e0d985afba4a03f671410b8d3a83f1ac045278cb8c1d97016417dd66cc
Status:    valid

[dwelch2344]

Hey @jgraglia, thanks for raising this. We're in the process of moving to a more complete dataset, but unfortunately there's a few endoflife.date gaps unfortunately.

We've already got an issue in and work started on backfilling this data so you'll get the same (or hopefully better) output again shortly.

[jgraglia]

Hi, Thank for you feedback !

[kranurag7]

Hey there, I think this is happening with every image. I'm not sure without looking into details if only one endoflife.date backend is considered for now.

If I use the readme gif example then it's not detecting anything EOL in mongo:3.2 image.

~ $ xeol mongo:3.2
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [0 eol matches]
✅ no EOL software has been found
~ $ xeol bitnami/kubectl:1.15
 ✔ EOL DB                          [no update available]
 ✔ Scanned for EOL                 [0 eol matches]
✅ no EOL software has been found

[jgraglia]

Hi there ! I just have check the same command and still no EOL found.
the db has been update automatically.
xeol sbom:eol-traefik-3.1.2.cdx.json

I wonder if any infos is shareable about this? Xeol move to a commercial license? everything is locked until something happens?

The commit activity is very low, (https://github.com/xeol-io/xeol/graphs/contributors?from=3%2F14%2F2025&to=6%2F29%2F2025) and one of them was performed by a dev who also participate to
https://github.com/herodevs/cli?tab=readme-ov-file
which looks like eol.

xeol is officialy dead and replaced by the product at https://herodevs.com/ ?