Skip to content

spring-boot EOL not detected by xeol scan #596

Open
Open
spring-boot EOL not detected by xeol scan#596
Labels
bugSomething isn't working
@Srujankumar99

Description

@Srujankumar99
Srujankumar99
opened on Mar 4, 2026

What happened:
When scanning a Java-based container image, syft correctly identifies Spring Boot artifacts using their full Maven coordinates (e.g., pkg:maven/org.springframework.boot/spring-boot@4.0.0). However, xeol returns 0 matches even when using a high --lookahead (e.g., 8y), despite the product existing in the endoflife.date API with a confirmed EOL date.

https://endoflife.date/api/spring-boot.json

What you expected to happen:

Since I'm scanning for EOL with lookahead as 8 years, It has to detect the EOL packages but it shows NONE

How to reproduce it (as minimally and precisely as possible):

syft $XEOL_SCAN_IMAGE

spring-boot                              4.0.0                                       java-archive  
spring-boot-actuator                     4.0.0                                       java-archive  
spring-boot-actuator-autoconfigure       4.0.0                                       java-archive  
spring-boot-autoconfigure                4.0.0                                       java-archive  
spring-boot-health                       4.0.0                                       java-archive  
spring-boot-http-converter               4.0.0                                       java-archive  
spring-boot-jackson                      4.0.0                                       java-archive  
spring-boot-jarmode-tools                4.0.0                                       java-archive  
spring-boot-jms                          4.0.0                                       java-archive  
spring-boot-micrometer-metrics           4.0.0                                       java-archive  
spring-boot-micrometer-observation       4.0.0                                       java-archive  
spring-boot-persistence                  4.0.0                                       java-archive  
spring-boot-servlet                      4.0.0                                       java-archive  
spring-boot-tomcat                       4.0.0                                       java-archive  
spring-boot-transaction                  4.0.0                                       java-archive  
spring-boot-tx                           4.0.0-M2                                    java-archive  
spring-boot-web-server                   4.0.0                                       java-archive  
spring-boot-webmvc                       4.0.0                                       java-archive  

xeol sbom:./sbom.json --lookahead 8y -vv

[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-beans, version=7.0.1, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-actuator, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-actuator-autoconfigure, version=4.0.0, upstreams=0)
[0000] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-autoconfigure, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-health, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-http-converter, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jackson, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jarmode-tools, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-jms, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-micrometer-metrics, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-micrometer-observation, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-persistence, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-servlet, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-tomcat, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-transaction, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-tx, version=4.0.0-M2, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-web-server, version=4.0.0, upstreams=0)
[0001] DEBUG searching for eol matches for pkg=Pkg(type=java-archive, name=spring-boot-webmvc, version=4.0.0, upstreams=0)

$ xeol sbom:./sbom.json -o json | jq '.matches'
[]

$ xeol sbom:./sbom.json --lookahead 8y -o json | jq '.matches'
[]

$ xeol sbom:./sbom.json --lookahead 8y -o table
✅ no EOL software has been found

Anything else we need to know?:
EOL Life for spring boot - https://endoflife.date/api/spring-boot.json

Environment:
Debian Image

xeol --version
xeol 0.10.8

syft --version
syft 1.42.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions