feat(echo): support Echo Maven and npm package scanning#10883
feat(echo): support Echo Maven and npm package scanning#10883LaizaAngrest wants to merge 6 commits into
Conversation
Echo provides patched Python packages identified by a PEP 440 local
version suffix ("+echo.N"). Register the vendor via the library/all
package so its advisories are queried under the "echo pip::" bucket.
Match now uses a regex to enforce the documented "+echo.N" format where N is numeric, rather than accepting any string containing "+echo.".
jashwanth-reddy-g
left a comment
There was a problem hiding this comment.
Thanks for the contribution! The implementation looks solid and cleanly integrates into Trivy's vendor detection logic.
I have a couple of minor performance-related suggestions to ensure we keep the scanning overhead as low as possible.
1. Optimize Match with a Fast-Path Check
The Match function is called for every parsed package in the Pip and Maven ecosystems. Trivy can process thousands of packages in a single scan. Using regexp.MatchString directly for every package introduces a performance overhead due to the regex state machine execution.
We can preempt the regex execution with a much faster strings.Contains check, which will short-circuit for the vast majority of non-Echo packages:
import "strings"
// ...
func (echoVendor) Match(eco ecosystem.Type, _, pkgVer string) bool {
switch eco {
case ecosystem.Pip, ecosystem.Maven:
// Fast-path: quickly reject non-Echo versions before invoking the regex
return strings.Contains(pkgVer, "+echo.") && echoLocalSegmentRe.MatchString(pkgVer)
default:
return false
}
}2. Avoid fmt.Sprintf in BucketPrefix
BucketPrefix is used frequently during advisory lookups. Using fmt.Sprintf allocates memory and relies on reflection. Since e.Name() is a short static string and eco uses string as its underlying type, direct string concatenation is significantly faster and allocation-friendly:
func (e echoVendor) BucketPrefix(eco ecosystem.Type) string {
return e.Name() + " " + string(eco) + "::"
}(If you make this change, you can remove the fmt import entirely).
Otherwise, the tests and implementation look excellent!
|
@gmrnlg1971 Thanks for the review! 🙏
|
Use direct string concatenation instead of fmt.Sprintf. e.Name() is a short static string and ecosystem.Type has string as its underlying type, so concatenation is faster and avoids the allocation/reflection of a format call on this hot advisory-lookup path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extends the Echo vendor to match Maven packages carrying the +echo.N suffix. The default Maven comparer already orders +echo.N correctly, so no custom comparer is needed. Depends on aquasecurity#10555 (Echo pip language package scanning). Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
01c32a3 to
4700d31
Compare
npm follows SemVer, which excludes build metadata from precedence, so the standard npm comparer treats 2.14.2+echo.1 and 2.14.2+echo.2 as equal and cannot order Echo's successive patched builds. Add an Echo-aware npm comparer that breaks SemVer ties on the +echo.N build number: 2.14.2 < 2.14.2+echo.1 < 2.14.2+echo.2 < 2.14.3. Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
|
@gmrnlg1971 |
Description
Extends the Echo vendor (introduced in #10555) to also match Maven packages
patched by Echo. Echo publishes patched Java packages with a
+echo.Nversionsuffix (e.g.
org.apache.commons:commons-lang3@3.14.0+echo.1) and its ownadvisories via the Echo OSV feed.
Matchnow recognizes theecosystem.Maven++echo.Ncombination so thoseadvisories are applied during scanning. No custom comparer is needed: the default
Maven comparer (
go-mvn-version) already orders+echo.Ncorrectly.Related issues
Related PRs
Checklist