Provide a endoflife-maven plugin

[laeubi]

Having the EOL for products is cool, but it would be useful to enforce/check for EOL in regular builds.

For that I'd like to propose that there is a endoflife-maven plugin that checks e.g. the toolchains of a maven build for old versions. If you like the idea, I can contribute an initial plugin checking the java parts.

Of course this could be a separate project but I first like to ask if there is interest in having some kind of official plugin for this.

[captn3m0]

Our plan is to integrate with the existing SBOM ecosystem: #763, so you could use existing tools to generate a SBOM for your project, and this SBOM could then be matched against a (feed/tool) provided by us.

That seems like a better approach that lets us work across multiple ecosystems without building tooling for each of them.

[laeubi]

I'm reading through the referenced stuff but don't see how this would solve the issue without providing a maven-plugin to do the stuff (I think most people don't like to execute extra tools generate files and then have other tolls to scan their project) so amybe it would still be usefull to have something right now and later migrate to whatever tooling that is available then?

[captn3m0]

Correct me if I'm wrong, but a maven plugin will be limited in scope to scanning maven-build things (so for eg, it might catch log4j, but not necessarily the Java runtime, or the underlying OS version). Since we cater to a large number of products, and I'm unsure about a tool that would only support a very small subset.

Using SBOM as an intermediate format lets us integrate with an existing ecosystem, including the Java ecosystem:

• https://github.com/CycloneDX/cyclonedx-maven-plugin
• https://github.com/javixeneize/yasca
• https://github.com/CycloneDX/cyclonedx-core-java
• https://plugins.gradle.org/plugin/org.cyclonedx.bom
• https://github.com/AppThreat/cdxgen
• https://github.com/pmckeown/dependency-track-maven-plugin#readme

If you can provide some details about sample usecases for such a maven plugin, it will be easier to validate.

(see list at https://cyclonedx.org/tool-center/)

[laeubi]

Correct me if I'm wrong, but a maven plugin will be limited in scope to scanning maven-build things

It could capture anything that is used in a maven build, but of course could theoretically check whatever you want and the maven process has access to.

it might catch log4j, but not necessarily the Java runtime, or the underlying OS version

It could also check JVM and OS if desired, but I'm more aiming at the things used in the toolchain (that include the jre).

If you can provide some details about sample usecases for such a maven plugin, it will be easier to validate.

So given I have a maven build that uses Java 8, I can get a warning that it is EOL, or even fail the build if I want to enforce not using EOL java tools.