[feature] Add support for endoflife.date

[funnelfiasco]

Is your feature request related to a problem? Please describe.
endoflife.date tracks information about when versions reach the end of supported life. This is useful information to include in the understanding of the supply chain. Knowing which dependencies are (or soon will be) unsupported can be an important part of proactively reducing risk.

Describe the solution you'd like
Use the endoflife.date API to fetch EOL dates for nodes in the dependency graph.

Describe alternatives you've considered
As far as I can tell, deps.dev does not offer this information.

Additional context
The API is currently in alpha, so it may be too early to adopt in GUAC.

[lumjjb]

We took a look at the API of endoflife.date, and it looks like this would be a good first issue to run a certifier.

• Run about every ~14 days
• Will look up all products in https://endoflife.date/api/all.json (via https://endoflife.date/docs/api)
• For each product, query Package where name in the list, map them to https://endoflife.date
  /api/{product}.json and map versions accordingly
• Create HasMetadata entries for each of them

Two pieces of has metadata info

• Is EOL? - is this EOL today?
• EOL date - if exists

Note that some don't have EOL dates, but just says "EOL": true or false. Consumption for these would likely will be HasMetadata of something being supported. Consumption may also be an alerting flow of change in metadata (be via some policy engine).

Open Questions:

• How do some of these non-open source products appear in other tools. For example, windows. Do we need to match them towards CPEs?

[robert-cronin]

I'd love to give this one a go if no one else has started already.

My first impression is that this would involve something similar to pkg/certifier/clearlydefined/clearlydefined.go, however I am not too sure how the HasMetadata entries mentioned above get added.

Any pointers or guidance on which parts of GUAC might be good reference would be much appreciated!

[pxp928]

I'd love to give this one a go if no one else has started already.

My first impression is that this would involve something similar to pkg/certifier/clearlydefined/clearlydefined.go, however I am not too sure how the HasMetadata entries mentioned above get added.

Any pointers or guidance on which parts of GUAC might be good reference would be much appreciated!

Yes that is correct, using the clearlydefined certifier is a good example and will function similarly.

As for the HasMetadata, you can find an example of that usage here in the SPDX Parser (used to store CPEs):

guac/pkg/ingestor/parser/spdx/parse_spdx.go

Lines 405 to 424 in 1a04f13

	for _, pkg := range s.spdxDoc.Packages {
	pkgInputSpecs := s.packagePackages[string(pkg.PackageSPDXIdentifier)]
	for _, extRef := range pkg.PackageExternalReferences {
	if extRef.Category == spdx_common.CategorySecurity {
	locator := extRef.Locator
	metadataInputSpec := &model.HasMetadataInputSpec{
	Key: "cpe",
	Value: locator,
	Timestamp: time.Now().UTC(),
	Justification: "spdx cpe external reference",
	Origin: "GUAC SPDX",
	Collector: "GUAC",
	}
	for i := range pkgInputSpecs {
	hasMetadata := assembler.HasMetadataIngest{
	Pkg: pkgInputSpecs[i],
	PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
	HasMetadata: metadataInputSpec,
	}
	preds.HasMetadata = append(preds.HasMetadata, hasMetadata)

Let us know if you have more questions!