DEV Community

Christian Zink
Christian Zink

Posted on

How to Integrate Endoflife.Date in Dependency-Track EoL

#security #devops #sbom #dependencytrack

Keeping your software up-to-date is crucial — but what happens when a library reaches end-of-life (EoL)? It stops receiving security updates, leaving your applications exposed to hidden risks.

OWASP Dependency-Track is great for scanning SBOMs (Software Bill of Materials) for vulnerabilities/CVEs. But EoL dependencies, but EoL software may have unpatched vulnerabilities that aren’t reported — creating hidden risks.

In this guide, I’ll show you how to set up my experimental integration for Dependency-Track and start detecting EoL dependencies from endoflife.date in your projects.

Steps of this tutorial

  • Dependency-Track installation (You can skip this if you already have a running installation)
  • Import SBOM (You can skip this if you already have a running installation)
  • Get the Dependency-Track API key from the Web UI
  • Install and run the integration

Step 1: Install Dependency-Track

If you already have a running Dependency-Track installation, skip this step. Otherwise, the easiest way is via Docker:

# Download Docker Compose file
curl -LO https://raw.githubusercontent.com/DependencyTrack/dependency-track/main/docker-compose.yml

# Start Dependency-Track stack
docker compose up -d
Enter fullscreen mode Exit fullscreen mode

Once started, navigate to http://localhost:8080 to access the web UI.

Step 2: Import Your SBOM

You need at least one SBOM loaded in Dependency-Track to analyze dependencies. In the web UI:

  1. Go to Projects → Add Project
  2. Upload your SBOM (Or use the example sbom)
  3. Wait for the components to be processed

If you already have a project in Dependency-Track, you can skip this step.

Step 3: Get Your API Key

The EoL integration uses the Dependency-Track API. To get your key:

  1. Log in to the Web UI at http://localhost:8080 (That's the default for Dependency-Track Installations)
  2. Click on your Administration → Access Management → Teams
  3. Generate a new key
  4. Copy it for later use

Step 4: Install and Run the Integration

You can choose Linux or Windows depending on your environment.

Linux 

# Download the latest binary
curl -LO https://github.com/Chriz76/endoflife-dependencytrack/releases/download/v0.1.0-alpha/eol-dt-linux-x64.tar.gz

# Extract the archive
tar -xzvf eol-dt-linux-x64.tar.gz

# Make it executable
chmod +x eol-dt

# Run it
./eol-dt --apikey YOUR_DEPENDENCY_TRACK_API_KEY
Enter fullscreen mode Exit fullscreen mode

Windows 

eol-dt --apikey YOUR_DEPENDENCY_TRACK_API_KEY
Enter fullscreen mode Exit fullscreen mode

Step 5: Review Results

  • In the Dependency-Track UI, search for "INT" to see flagged EoL components
  • Check the program output for details about matched components
  • Optionally, provide your own EoL dataset using the --eoldata option

Notes & Tips

  • This project is experimental — use in test environments first
  • Matching relies on PURL, CPE, and name heuristics — some results may be incomplete
  • Future improvements: integrate more package repositories, combine EoL with CVE data, allow manual overrides
  • For further options or feedback see the endoflife-dependencytrack project on github

Feedback & Contributions

I’d love your feedback:

  • Does this help detect hidden vulnerabilities?
  • Ideas to improve matching accuracy?
  • Found bugs or missing components?

Top comments (0)