Skip to content

spring-boot EOL not detected by xeol scan #596

Open
Open
spring-boot EOL not detected by xeol scan#596
Labels
bugSomething isn't working
@Srujankumar99

Description

@Srujankumar99
Srujankumar99
opened on Mar 4, 2026

What happened:
When scanning a Java-based container image, syft correctly identifies Spring Boot artifacts using their full Maven coordinates (e.g., pkg:maven/org.springframework.boot/[email protected]). However, xeol returns 0 matches even when using a high --lookahead (e.g., 8y), despite the product existing in the endoflife.date API with a confirmed EOL date.

https://endoflife.date/api/spring-boot.json

What you expected to happen:

Since I'm scanning for EOL with lookahead as 8 years, It has to detect the EOL packages but it shows NONE

How to reproduce it (as minimally and precisely as possible):

syft $XEOL_SCAN_IMAGE

spring-boot                              4.0.0                                       java-archive  
spring-boot-actuator                     4.0.0                                       java-archive  
spring-boot-actuator-autoconfigure       4.0.0                                       java-archive  
spring-boot-autoconfigure                4.0.0                                       java-archive  
spring-boot-health                       4.0.0                                       java-archive  
spring-boot-http-converter               4.0.0                                       java-archive  
spring-boot-jackson                      4.0.0                                       java-archive  
spring-boot-jarmode-tools                4.0.0                                       java-archive  
spring-boot-jms                          4.0.0                                       java-archive  
spring-boot-micrometer-metrics           4.0.0                                       java-archive  
spring-boot-micrometer-observation       4.0.0                                       java-archive  
spring-boot-persistence                  4.0.0                                       java-archive  
spring-boot-servlet                      4.0.0                                       java-archive  
spring-boot-tomcat                       4.0.0                                       java-archive  
spring-boot-transaction                  4.0.0                                       java-archive  
spring-boot-tx                           4.0.0-M2                                    java-archive  
spring-boot-web-server                   4.0.0                                       java-archive  
spring-boot-webmvc                       4.0.0                                       java-archive  

xeol sbom:./sbom.json --lookahead 8y -vv

[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-beans, version=7.0.1, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-actuator, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-actuator-autoconfigure, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-autoconfigure, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-health, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-http-converter, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jackson, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jarmode-tools, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jms, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-micrometer-metrics, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-micrometer-observation, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-persistence, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-servlet, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-tomcat, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-transaction, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-tx, version=4.0.0-M2, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-web-server, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-webmvc, version=4.0.0, upstreams=0)

$ xeol sbom:./sbom.json -o json | jq '.matches'
[]

$ xeol sbom:./sbom.json --lookahead 8y -o json | jq '.matches'
[]

$ xeol sbom:./sbom.json --lookahead 8y -o table
✅ no EOL software has been found

Anything else we need to know?:
EOL Life for spring boot - https://endoflife.date/api/spring-boot.json

Environment:
Debian Image

xeol --version
xeol 0.10.8

syft --version
syft 1.42.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions