OS Matching

[noqcks]

This PR add OS end of life matching. We now have CPE's in endoflife.date we can use, because of this PR. We grab the Distro.CPEName from syft, which picks up the CPE_NAME property in /etc/os-release.

$ xeol -q fedora:29
NAME    VERSION  EOL         DAYS EOL  TYPE
Fedora  29       2019-11-26  1184      os

https://endoflife.date/fedora

There are a couple things to note about this PR:

• It misses a lot of distros that don't define CPE_NAME. I'm going to create a second PR that heuristically creates cpe names for distros that don't have CPE_NAME defined, which should improve coverage a lot.
• It doesn't handle EOL dates for products with ELTS support. I created Handle ELTS configuration #34 to track this improvement.
• It doesn't use SUPPORT_END, this is tracked in Handle OS SUPPORT_END instead of EOL dates from endoflife.date #35

[noqcks]

@witchcraze wondering if you had any thoughts here. You mentioned that you use an internal mapping to map EOL OS'. Wondering if this solution would be missing anything critical?

[witchcraze]

Sorry, my approach was usging "name" and "versionID" .
Some distribution will have several 'name'.
e.g. centos and CentOS, Fedora and Fedora Linux, Amazon Linux and Amazon Linux AMI

I did not check CPE_NAME in /etc/os-release by some reason, but I'll ty to check in our dataset next week and share results.

[witchcraze]

@noqcks

I checked CPE_NAME in /etc/os-release in our environment

• 95% are no data
• Show CPE was from RHEL or those rebuild distributions
• Major CPE patterns are ...
  • cpe:/o:centos:centos:8
  • cpe:/o:rocky:rocky:8:GA
  • cpe:/o:redhat:enterprise_linux:8::baseos
  • cpe:/o:redhat:enterprise_linux:8.1:GA
  • cpe:/o:oracle:linux:8:7:server
  • cpe:2.3:o:amazon:amazon_linux:2

[noqcks]

Yeah, that's what I've found as well. centos/redhat/amazon_linux/oracle are the main distros using CPE_NAME. I will need to create an OS mapping to get good coverage. Would not be good to miss Debian/Ubuntu/Suse

[noqcks]

@witchcraze added some speculative OS matching in #40

so it now works for any distro, even if they don't set CPE_NAME

ubuntu

$ go run main.go ubuntu:18.10

NAME    VERSION  EOL         DAYS EOL  TYPE
Ubuntu  18.10    2019-07-18  1321      os

alpine

$  go run main.go alpine:3.9

NAME          VERSION  EOL         DAYS EOL  TYPE
Alpine Linux  3.9.6    2021-01-01  788       os