Director of Information Security
Best Practices to create a SBOM with EOS/EOL Timeline to aid vulnerability remediation (currently use GitLab as our pipeline and Nexus repository).Group Director of Information Security
See Full DiscussionIt's a 5-step process which you will need to correlate for your environment.
1. Integrate dependency scanners (e.g., GitLab's built-in scanner, Trivy, Snyk, OWASP Dependency-Check or your existing Nexus repo) to flag outdated dependencies and use GitLab’s security dashboard to monitor deprecated packages.
2. Set up GitLab CI/CD rules to fail builds if EOL/EOS dependencies are detected and enforce allow/block lists for dependencies using GitLab’s security policies.
3. Configure GitLab to generate reports when a dependency is approaching its EOL and see if you can use GitLab’s webhook integrations to notify security teams via Slack, email, or Jira.
4. Implement dependency auto-updating tools (e.g., Renovate, Dependabot) to replace (identified & manually verified) EOL/EOS components. If no direct upgrade path exists, isolate the outdated component via containerization or sandboxing.
5. Maintain a historical record of all SBOMs and EOL/EOS alerts for compliance audits (ISO 27001, NIST, etc.). Regularly conduct security reviews using GitLab’s security reports.