Display a warning for OS that has reached EOL (#118)

2025-12-12 15:50:15 -08:00 · 2019-08-18 21:34:46 -10:00
parent 9a9cb016fa
commit 0611bf915b
12 changed files with 611 additions and 8 deletions
--- a/misc/eol/data/debian.csv
+++ b/misc/eol/data/debian.csv
@@ -0,0 +1,19 @@
+1.1,Buzz,buzz,1993-08-16,1996-06-17,1997-06-05
+1.2,Rex,rex,1996-06-17,1996-12-12,1998-06-05
+1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
+2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
+2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
+2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
+3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
+3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
+4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
+5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
+6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
+8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
+9,Stretch,stretch,2015-04-25,2017-06-17
+10,Buster,buster,2017-06-17
+11,Bullseye,bullseye,2019-08-01
+12,Bookworm,bookworm,2021-08-01
+,Sid,sid,1993-08-16
+,Experimental,experimental,1993-08-16
--- a/misc/eol/data/ubuntu.csv
+++ b/misc/eol/data/ubuntu.csv
@@ -0,0 +1,31 @@
+4.10,Warty Warthog,warty,2004-03-05,2004-10-20,2006-04-30
+5.04,Hoary Hedgehog,hoary,2004-10-20,2005-04-08,2006-10-31
+5.10,Breezy Badger,breezy,2005-04-08,2005-10-12,2007-04-13
+6.06 LTS,Dapper Drake,dapper,2005-10-12,2006-06-01,2009-07-14,2011-06-01
+6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-25
+7.04,Feisty Fawn,feisty,2006-10-26,2007-04-19,2008-10-19
+7.10,Gutsy Gibbon,gutsy,2007-04-19,2007-10-18,2009-04-18
+8.04 LTS,Hardy Heron,hardy,2007-10-18,2008-04-24,2011-05-12,2013-05-09
+8.10,Intrepid Ibex,intrepid,2008-04-24,2008-10-30,2010-04-30
+9.04,Jaunty Jackalope,jaunty,2008-10-30,2009-04-23,2010-10-23
+9.10,Karmic Koala,karmic,2009-04-23,2009-10-29,2011-04-29
+10.04 LTS,Lucid Lynx,lucid,2009-10-29,2010-04-29,2013-05-09,2015-04-29
+10.10,Maverick Meerkat,maverick,2010-04-29,2010-10-10,2012-04-10
+11.04,Natty Narwhal,natty,2010-10-10,2011-04-28,2012-10-28
+11.10,Oneiric Ocelot,oneiric,2011-04-28,2011-10-13,2013-05-09
+12.04 LTS,Precise Pangolin,precise,2011-10-13,2012-04-26,2017-04-26,2017-04-26,2019-04-26
+12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-05-16
+13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-27
+13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
+14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-25,2019-04-25,2022-04-25
+14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
+15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-01-23
+15.10,Wily Werewolf,wily,2015-04-23,2015-10-22,2016-07-22
+16.04 LTS,Xenial Xerus,xenial,2015-10-22,2016-04-21,2021-04-21,2021-04-21,2024-04-21
+16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
+17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-13
+17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19
+18.04 LTS,Bionic Beaver,bionic,2017-10-19,2018-04-26,2023-04-26,2023-04-26,2028-04-26
+18.10,Cosmic Cuttlefish,cosmic,2018-04-26,2018-10-18,2019-07-18
+19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-18
+19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
--- a/misc/eol/main.go
+++ b/misc/eol/main.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+// This script displays EOL dates
+func main() {
+	fmt.Println("Debian")
+	debianEOL()
+
+	fmt.Println("\nUbuntu")
+	ubuntuEOL()
+}
+
+func debianEOL() {
+	f, err := os.Open("data/debian.csv")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Split(line, ",")
+
+		if len(fields) < 6 && fields[0] != "" {
+			fmt.Printf("\"%s\": time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),\n", fields[0])
+		} else if len(fields) == 6 {
+			eol, _ := time.Parse("2006-1-2", fields[5])
+			fmt.Printf("\"%s\": time.Date(%d, %d, %d, 23, 59, 59, 0, time.UTC),\n", fields[0], eol.Year(), eol.Month(), eol.Day())
+		}
+	}
+}
+
+func ubuntuEOL() {
+	f, err := os.Open("data/ubuntu.csv")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Split(line, ",")
+
+		eol, _ := time.Parse("2006-1-2", fields[len(fields)-1])
+		fmt.Printf("\"%s\": time.Date(%d, %d, %d, 23, 59, 59, 0, time.UTC),\n", strings.Fields(fields[0])[0], eol.Year(), eol.Month(), eol.Day())
+	}
+}
--- a/pkg/scanner/ospkg/alpine/alpine.go
+++ b/pkg/scanner/ospkg/alpine/alpine.go
@@ -2,6 +2,7 @@ package alpine

 import (
 	"strings"
+	"time"

 	"github.com/knqyf263/fanal/analyzer"
 	version "github.com/knqyf263/go-rpm-version"
@@ -12,6 +13,30 @@ import (
 	"golang.org/x/xerrors"
 )

+var (
+	eolDates = map[string]time.Time{
+		"2.0":  time.Date(2012, 4, 1, 23, 59, 59, 0, time.UTC),
+		"2.1":  time.Date(2012, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.2":  time.Date(2013, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.3":  time.Date(2013, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.4":  time.Date(2014, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.5":  time.Date(2014, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.6":  time.Date(2015, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.7":  time.Date(2015, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.0":  time.Date(2016, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.1":  time.Date(2016, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.2":  time.Date(2017, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.3":  time.Date(2017, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.4":  time.Date(2018, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.5":  time.Date(2018, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.6":  time.Date(2019, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.7":  time.Date(2019, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.8":  time.Date(2020, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.9":  time.Date(2020, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.10": time.Date(2021, 5, 1, 23, 59, 59, 0, time.UTC),
+	}
+)
+
 type Scanner struct{}

 func NewScanner() *Scanner {
@@ -51,3 +76,21 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	if strings.Count(osVer, ".") > 1 {
+		osVer = osVer[:strings.LastIndex(osVer, ".")]
+	}
+
+	eol, ok := eolDates[osVer]
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eol)
+}
--- a/pkg/scanner/ospkg/alpine/alpine_test.go
+++ b/pkg/scanner/ospkg/alpine/alpine_test.go
@@ -0,0 +1,64 @@
+package alpine
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"alpine3.6": {
+			now:       time.Date(2019, 3, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.6",
+			expected:  true,
+		},
+		"alpine3.6 with EOL": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.6.5",
+			expected:  false,
+		},
+		"alpine3.9": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.9.0",
+			expected:  true,
+		},
+		"alpine3.10": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.10",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}
--- a/pkg/scanner/ospkg/debian/debian.go
+++ b/pkg/scanner/ospkg/debian/debian.go
@@ -2,19 +2,40 @@ package debian

 import (
 	"strings"
-
-	version "github.com/knqyf263/go-deb-version"
-
-	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
-
-	"golang.org/x/xerrors"
-
-	"github.com/knqyf263/trivy/pkg/scanner/utils"
+	"time"

 	"github.com/knqyf263/fanal/analyzer"
+	version "github.com/knqyf263/go-deb-version"
+	"golang.org/x/xerrors"
+
 	"github.com/knqyf263/trivy/pkg/log"
+	"github.com/knqyf263/trivy/pkg/scanner/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/debian"
 	debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+)
+
+var (
+	eolDates = map[string]time.Time{
+		"1.1": time.Date(1997, 6, 5, 23, 59, 59, 0, time.UTC),
+		"1.2": time.Date(1998, 6, 5, 23, 59, 59, 0, time.UTC),
+		"1.3": time.Date(1999, 3, 9, 23, 59, 59, 0, time.UTC),
+		"2.0": time.Date(2000, 3, 9, 23, 59, 59, 0, time.UTC),
+		"2.1": time.Date(2000, 10, 30, 23, 59, 59, 0, time.UTC),
+		"2.2": time.Date(2003, 7, 30, 23, 59, 59, 0, time.UTC),
+		"3.0": time.Date(2006, 6, 30, 23, 59, 59, 0, time.UTC),
+		"3.1": time.Date(2008, 3, 30, 23, 59, 59, 0, time.UTC),
+		"4.0": time.Date(2010, 2, 15, 23, 59, 59, 0, time.UTC),
+		"5.0": time.Date(2012, 2, 6, 23, 59, 59, 0, time.UTC),
+		// LTS
+		"6.0": time.Date(2016, 2, 29, 23, 59, 59, 0, time.UTC),
+		"7":   time.Date(2018, 5, 31, 23, 59, 59, 0, time.UTC),
+		"8":   time.Date(2020, 6, 30, 23, 59, 59, 0, time.UTC),
+		"9":   time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"10":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"11":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"12":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+	}
 )

 type Scanner struct{}
@@ -78,3 +99,21 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	if strings.Count(osVer, ".") > 0 {
+		osVer = osVer[:strings.Index(osVer, ".")]
+	}
+
+	eol, ok := eolDates[osVer]
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eol)
+}
--- a/pkg/scanner/ospkg/debian/debian_test.go
+++ b/pkg/scanner/ospkg/debian/debian_test.go
@@ -0,0 +1,64 @@
+package debian
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"debian7": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "7",
+			expected:  false,
+		},
+		"debian8": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "8.11",
+			expected:  true,
+		},
+		"debian8 eol ends": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "8.0",
+			expected:  false,
+		},
+		"debian9": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "9",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}
--- a/pkg/scanner/ospkg/redhat/redhat.go
+++ b/pkg/scanner/ospkg/redhat/redhat.go
@@ -2,8 +2,10 @@ package redhat

 import (
 	"strings"
+	"time"

 	"github.com/knqyf263/fanal/analyzer"
+	"github.com/knqyf263/fanal/analyzer/os"
 	version "github.com/knqyf263/go-rpm-version"
 	"github.com/knqyf263/trivy/pkg/log"
 	"github.com/knqyf263/trivy/pkg/scanner/utils"
@@ -12,6 +14,26 @@ import (
 	"golang.org/x/xerrors"
 )

+var (
+	redhatEOLDates = map[string]time.Time{
+		"4": time.Date(2017, 5, 31, 23, 59, 59, 0, time.UTC),
+		"5": time.Date(2020, 11, 30, 23, 59, 59, 0, time.UTC),
+		"6": time.Date(2024, 6, 30, 23, 59, 59, 0, time.UTC),
+		// N/A
+		"7": time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"8": time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+	}
+	centosEOLDates = map[string]time.Time{
+		"3": time.Date(2010, 10, 31, 23, 59, 59, 0, time.UTC),
+		"4": time.Date(2012, 2, 29, 23, 59, 59, 0, time.UTC),
+		"5": time.Date(2017, 3, 31, 23, 59, 59, 0, time.UTC),
+		"6": time.Date(2020, 11, 30, 23, 59, 59, 0, time.UTC),
+		"7": time.Date(2024, 6, 30, 23, 59, 59, 0, time.UTC),
+		// N/A
+		"8": time.Date(3000, 6, 30, 23, 59, 59, 0, time.UTC),
+	}
+)
+
 type Scanner struct{}

 func NewScanner() *Scanner {
@@ -53,3 +75,27 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	if strings.Count(osVer, ".") > 0 {
+		osVer = osVer[:strings.Index(osVer, ".")]
+	}
+
+	var eolDate time.Time
+	var ok bool
+	if osFamily == os.RedHat {
+		eolDate, ok = redhatEOLDates[osVer]
+	} else if osFamily == os.CentOS {
+		eolDate, ok = centosEOLDates[osVer]
+	}
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eolDate)
+}
--- a/pkg/scanner/ospkg/redhat/redhat_test.go
+++ b/pkg/scanner/ospkg/redhat/redhat_test.go
@@ -0,0 +1,113 @@
+package redhat
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"centos5": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "5.0",
+			expected:  false,
+		},
+		"centos6": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "6.7",
+			expected:  true,
+		},
+		"centos6 (eol ends)": {
+			now:       time.Date(2020, 12, 1, 0, 0, 0, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "6.7",
+			expected:  false,
+		},
+		"centos7": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "7.5",
+			expected:  true,
+		},
+		"centos8": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "8.0",
+			expected:  true,
+		},
+		"two dots": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "centos",
+			osVersion: "8.0.1",
+			expected:  true,
+		},
+		"redhat5": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "5.0",
+			expected:  true,
+		},
+		"redhat6": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "6.7",
+			expected:  true,
+		},
+		"redhat6 (eol ends)": {
+			now:       time.Date(2024, 7, 1, 0, 0, 0, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "6.7",
+			expected:  false,
+		},
+		"redhat7": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "7.5",
+			expected:  true,
+		},
+		"redhat8": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "8.0",
+			expected:  true,
+		},
+		"no dot": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "redhat",
+			osVersion: "8",
+			expected:  true,
+		},
+		"debian": {
+			now:       time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "8",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+
+}
--- a/pkg/scanner/ospkg/scan.go
+++ b/pkg/scanner/ospkg/scan.go
@@ -23,6 +23,7 @@ import (

 type Scanner interface {
 	Detect(string, []analyzer.Package) ([]vulnerability.DetectedVulnerability, error)
+	IsSupportedVersion(string, string) bool
 }

 func Scan(files extractor.FileMap) (string, string, []vulnerability.DetectedVulnerability, error) {
@@ -61,6 +62,11 @@ func Scan(files extractor.FileMap) (string, string, []vulnerability.DetectedVuln
 	pkgs = mergePkgs(pkgs, pkgsFromCommands)
 	log.Logger.Debugf("the number of packages: %d", len(pkgs))

+	if !s.IsSupportedVersion(os.Family, os.Name) {
+		log.Logger.Warnf("This OS version is no longer supported by the distribution: %s %s", os.Family, os.Name)
+		log.Logger.Warnf("The vulnerability detection may be insufficient because security updates are not provided")
+	}
+
 	vulns, err := s.Detect(os.Name, pkgs)
 	if err != nil {
 		return "", "", nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err)
--- a/pkg/scanner/ospkg/ubuntu/ubnutu_test.go
+++ b/pkg/scanner/ospkg/ubuntu/ubnutu_test.go
@@ -0,0 +1,70 @@
+package ubuntu
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"ubuntu12.04 eol ends": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.04",
+			expected:  true,
+		},
+		"ubuntu12.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.04",
+			expected:  false,
+		},
+		"ubuntu12.10": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.10",
+			expected:  false,
+		},
+		"ubuntu18.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "18.04",
+			expected:  true,
+		},
+		"ubuntu19.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "19.04",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}
--- a/pkg/scanner/ospkg/ubuntu/ubuntu.go
+++ b/pkg/scanner/ospkg/ubuntu/ubuntu.go
@@ -1,6 +1,8 @@
 package ubuntu

 import (
+	"time"
+
 	version "github.com/knqyf263/go-deb-version"
 	"github.com/knqyf263/trivy/pkg/scanner/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
@@ -11,6 +13,42 @@ import (
 	"github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu"
 )

+var (
+	eolDates = map[string]time.Time{
+		"4.10":  time.Date(2006, 4, 30, 23, 59, 59, 0, time.UTC),
+		"5.04":  time.Date(2006, 10, 31, 23, 59, 59, 0, time.UTC),
+		"5.10":  time.Date(2007, 4, 13, 23, 59, 59, 0, time.UTC),
+		"6.06":  time.Date(2011, 6, 1, 23, 59, 59, 0, time.UTC),
+		"6.10":  time.Date(2008, 4, 25, 23, 59, 59, 0, time.UTC),
+		"7.04":  time.Date(2008, 10, 19, 23, 59, 59, 0, time.UTC),
+		"7.10":  time.Date(2009, 4, 18, 23, 59, 59, 0, time.UTC),
+		"8.04":  time.Date(2013, 5, 9, 23, 59, 59, 0, time.UTC),
+		"8.10":  time.Date(2010, 4, 30, 23, 59, 59, 0, time.UTC),
+		"9.04":  time.Date(2010, 10, 23, 23, 59, 59, 0, time.UTC),
+		"9.10":  time.Date(2011, 4, 29, 23, 59, 59, 0, time.UTC),
+		"10.04": time.Date(2015, 4, 29, 23, 59, 59, 0, time.UTC),
+		"10.10": time.Date(2012, 4, 10, 23, 59, 59, 0, time.UTC),
+		"11.04": time.Date(2012, 10, 28, 23, 59, 59, 0, time.UTC),
+		"11.10": time.Date(2013, 5, 9, 23, 59, 59, 0, time.UTC),
+		"12.04": time.Date(2019, 4, 26, 23, 59, 59, 0, time.UTC),
+		"12.10": time.Date(2014, 5, 16, 23, 59, 59, 0, time.UTC),
+		"13.04": time.Date(2014, 1, 27, 23, 59, 59, 0, time.UTC),
+		"13.10": time.Date(2014, 7, 17, 23, 59, 59, 0, time.UTC),
+		"14.04": time.Date(2022, 4, 25, 23, 59, 59, 0, time.UTC),
+		"14.10": time.Date(2015, 7, 23, 23, 59, 59, 0, time.UTC),
+		"15.04": time.Date(2016, 1, 23, 23, 59, 59, 0, time.UTC),
+		"15.10": time.Date(2016, 7, 22, 23, 59, 59, 0, time.UTC),
+		"16.04": time.Date(2024, 4, 21, 23, 59, 59, 0, time.UTC),
+		"16.10": time.Date(2017, 7, 20, 23, 59, 59, 0, time.UTC),
+		"17.04": time.Date(2018, 1, 13, 23, 59, 59, 0, time.UTC),
+		"17.10": time.Date(2018, 7, 19, 23, 59, 59, 0, time.UTC),
+		"18.04": time.Date(2028, 4, 26, 23, 59, 59, 0, time.UTC),
+		"18.10": time.Date(2019, 7, 18, 23, 59, 59, 0, time.UTC),
+		"19.04": time.Date(2020, 1, 18, 23, 59, 59, 0, time.UTC),
+		"19.10": time.Date(2020, 7, 17, 23, 59, 59, 0, time.UTC),
+	}
+)
+
 type Scanner struct{}

 func NewScanner() *Scanner {
@@ -62,3 +100,17 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	eol, ok := eolDates[osVer]
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eol)
+}