EOL Dataset

Product Introduction

1. Definition: The HeroDevs EOL Dataset is a specialized software lifecycle intelligence platform and database designed to identify End-of-Life (EOL) and abandoned open-source components within a software supply chain. Classified technically as a Software Composition Analysis (SCA) enhancement tool, it provides granular visibility into the maintenance status of over 12 million package versions across major ecosystems including npm, Maven, PyPI, NuGet, Go, and Cargo.

2. Core Value Proposition: While traditional security tools focus exclusively on known CVEs (Common Vulnerabilities and Exposures), the EOL Dataset addresses the "maintenance gap." It exists to mitigate the operational and security risks associated with unsupported open-source software, ensuring organizations can maintain regulatory compliance (SOC 2, PCI-DSS, HIPAA) by identifying dependencies that no longer receive security patches from original maintainers. It transforms the reactive "find-and-fix" vulnerability cycle into a proactive lifecycle management strategy.

Main Features

1. ML-Based Abandonment Detection: Beyond tracking official EOL declarations, the platform utilizes machine learning algorithms to analyze maintainer activity patterns. By evaluating commit frequency, issue response times, and contributor churn, the system can predict "stealth abandonment"—where a package is effectively dead but hasn't been officially deprecated—providing early warning signals to engineering teams.

2. Deep Transitive Dependency Resolution: The EOL Dataset resolves the complete dependency graph from manifest files (package.json, pom.xml, requirements.txt) or SBOMs (CycloneDX, SPDX). It identifies risks in transitive dependencies—the libraries that your direct dependencies pull in—which account for approximately 93% of the average application's attack surface. This feature ensures that even if a direct dependency is supported, any unsupported underlying components are flagged.

3. Fleet-Wide Compliance Reporting and Mapping: The tool provides a "single pane of glass" view that maps EOL findings directly to global regulatory requirements. It generates audit-ready reports for frameworks such as PCI-DSS 4.0, SOC 2, HIPAA, NIST 800-53, and the EU's Cyber Resilience Act (CRA). Users can export these findings via PDF, CSV, or direct Jira integration to streamline remediation workflows.

Problems Solved

1. Pain Point: The "Ghost Vulnerability" Risk: Standard SCA tools often report zero vulnerabilities for abandoned packages because no one is actively looking for or reporting new CVEs in dead code. The EOL Dataset solves this by flagging the lack of maintenance as a primary risk factor, preventing the false sense of security that leads to catastrophic zero-day exploitations in unpatched legacy systems.

2. Target Audience:

• IT Security Managers: Who need to enforce security policies and reduce the organizational attack surface.
• Compliance and Audit Officers: Who require documented evidence that all software in production is actively supported to satisfy PCI-DSS or SOC 2 requirements.
• Software Development Managers/Engineering Leaders: Who need to manage technical debt and prioritize refactoring or migration efforts based on actual component lifecycle data.
• DevOps/Site Reliability Engineers (SREs): Who integrate automated lifecycle scanning into CI/CD pipelines to prevent EOL software from reaching production.

3. Use Cases:

• Audit Preparation: Running a full scan across all repositories to identify and remediate EOL software before a formal SOC 2 or PCI-DSS audit.
• Mergers and Acquisitions (M&A) Due Diligence: Rapidly assessing the technical debt and security health of a target company’s codebase by scanning their SBOMs.
• Legacy Modernization: Identifying which frameworks (e.g., AngularJS, Vue 2, Spring 4) require immediate migration or the implementation of Never-Ending Support (NES) to maintain security continuity.

Unique Advantages

1. Differentiation from Traditional SCA: Most SCAs (like Snyk or GitHub Advanced Security) are vulnerability-centric; they only alert you when a bug is found. The EOL Dataset is lifecycle-centric; it alerts you when the source of fixes disappears. With 1,700x more EOL-specific data than standard scanners, it fills a critical blind spot in the DevSecOps stack.

2. Integrated Remediation via NES: Unlike tools that only provide "notifications" of failure, HeroDevs provides a direct remediation path. For critical frameworks that are too deeply embedded to migrate quickly (like .NET 6 or Node 16), the EOL Dataset connects users to Never-Ending Support (NES)—drop-in, secure replacements that provide ongoing security patches without requiring API or code changes.

Frequently Asked Questions (FAQ)

1. How does EOL Dataset differ from a standard CVE scanner? Standard CVE scanners check if a version has a known vulnerability. The EOL Dataset checks if anyone is still fixing the software. Many abandoned packages have zero reported CVEs simply because they are no longer being audited, making them "invisible" risks to standard scanners.

2. Can this tool help with PCI DSS 4.0 compliance? Yes. PCI DSS 4.0 (specifically section 12.3.4) requires organizations to manage the risks of end-of-life software. The EOL Dataset provides the specific discovery, tracking, and reporting necessary to prove to auditors that you are identifying and managing all EOL components in your payment environment.

3. What file types do I need to run an EOL scan? You can start a scan by uploading standard package manifests such as package.json (Node.js), pom.xml (Java), requirements.txt (Python), go.mod (Go), or .csproj (.NET). It also supports industry-standard SBOM formats including CycloneDX and SPDX for instant, agentless analysis.

4. Does the EOL Dataset handle transitive dependencies? Absolutely. The platform resolves the full dependency tree. This is critical because while your primary library might be current, the libraries it depends on may have been abandoned years ago. The EOL Dataset surfaces these hidden risks across the entire stack.