Unsupported Software
Detection
Your vulnerability scanner has a blind spot, and it's shaped exactly like end-of-life software. Scanners detect known vulnerabilities — published CVEs matched against installed versions. But when software goes EOL, researchers and maintainers largely stop filing and fixing CVEs against it. The result is perverse: the less supported a version is, the cleaner it can look in a scan. Detecting unsupported software takes a different kind of data — lifecycle dates, not vulnerability feeds — and that's what this page is about.
Why Scanners Miss Unsupported Software
A CVE only exists if someone finds a vulnerability, reports it, and gets it catalogued. Active projects generate a steady stream of them because people are looking. Once a version passes end of life, the maintainer stops patching, researchers move on, and the CVE stream dries up — not because the software got safer, but because nobody is watching it anymore. Unsupported software doesn't announce itself, either: it keeps serving traffic and passing health checks exactly as before. The only signal that anything changed is a date on a vendor lifecycle page, and that signal never appears in a vulnerability feed.
CVE Scanning vs. EOL Detection
| Vulnerability Scanning | EOL Detection | |
|---|---|---|
| Data source | Published CVE feeds | Vendor support lifecycles and EOL dates |
| Catches | Known, catalogued vulnerabilities | Versions that will never receive another patch |
| Fails when | Nobody files CVEs against abandoned software | A product's lifecycle isn't tracked |
| Answers | "What is currently known to be broken?" | "What will stay broken forever?" |
These are complements, not substitutes. You need both — but most teams already have the first and are missing the second.
The Detection Toolkit
endoflife.ai covers the EOL side with lifecycle data for 480+ products, consumable three ways depending on how deep you want to go:
- EOL Checker — one product at a timeType a product and version into the free checker and get its support status, EOL date, and risk score instantly. The fastest way to answer "is this thing still supported?"
- Stack Scanner — a whole dependency file at onceUpload or paste a
requirements.txt,package.json,Gemfile, orcomposer.jsonand the scanner flags every recognized dependency as EOL, warning, or active. - API — continuous detectionWire the API into CI/CD or a scheduled inventory job so detection runs automatically. The free tier includes 500 requests per day.
After Detection: What to Do With Findings
Detection produces a list; the list needs an order. The EOL Risk Score — a 0–100 benchmark weighing how long a version has been EOL, its attack surface, CISA KEV exposure, and whether extended support exists — gives you that order. From there, each finding gets one of two treatments: migrate to a supported version, or bridge the gap with paid extended support while a migration is planned. The EOL management guide covers that decision in full, and if the bridge is the right call, we can match you with an extended-support provider for free.
Find your blind spot now
Check a single product in seconds, or scan an entire dependency file.
Frequently Asked Questions
Why doesn't my vulnerability scanner detect unsupported software?
Vulnerability scanners match installed versions against published CVEs. When software goes end of life, researchers and maintainers largely stop filing and fixing CVEs against it — so an EOL version can look clean in a scan precisely because nobody is looking at it anymore. Detecting unsupported software requires lifecycle data (support dates), not vulnerability data.
How do I detect end-of-life software in my stack?
Three ways on endoflife.ai: look up a single product and version in the free EOL Checker; upload a dependency file (requirements.txt, package.json, Gemfile, or composer.json) to the Stack Scanner for a full lifecycle report; or query the API — free tier of 500 requests per day — to run detection continuously in CI/CD or an inventory job.
What counts as unsupported software?
Any version whose maintainer has stopped shipping security patches — either because the whole product reached end of life or because that specific version line fell out of its support window. It keeps running normally, which is exactly why it goes undetected.
What should I do with software I detect as EOL?
Prioritize it with the EOL Risk Score (a 0–100 benchmark), then either plan a migration or, if you need time, bridge the gap with extended support — endoflife.ai can match you with an appropriate provider for free.