Skip to content

feat(echo): support Echo Maven and npm package scanning#10883

Open
LaizaAngrest wants to merge 6 commits into
aquasecurity:mainfrom
LaizaAngrest:support-echo-maven-package-scanning
Open

feat(echo): support Echo Maven and npm package scanning#10883
LaizaAngrest wants to merge 6 commits into
aquasecurity:mainfrom
LaizaAngrest:support-echo-maven-package-scanning

Conversation

@LaizaAngrest

Copy link
Copy Markdown

Description

Extends the Echo vendor (introduced in #10555) to also match Maven packages
patched by Echo. Echo publishes patched Java packages with a +echo.N version
suffix (e.g. org.apache.commons:commons-lang3@3.14.0+echo.1) and its own
advisories via the Echo OSV feed.

Match now recognizes the ecosystem.Maven + +echo.N combination so those
advisories are applied during scanning. No custom comparer is needed: the default
Maven comparer (go-mvn-version) already orders +echo.N correctly.

Stacked on #10555; the diff will be clean once that merges and this is rebased onto main.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (not needed — extends an existing vendor, no new options).
  • I've added usage information (n/a — no new options).
  • I've included a "before" and "after" example to the description (n/a — not a user-interface change).

orizerah added 2 commits May 19, 2026 11:22
Echo provides patched Python packages identified by a PEP 440 local
version suffix ("+echo.N"). Register the vendor via the library/all
package so its advisories are queried under the "echo pip::" bucket.
Match now uses a regex to enforce the documented "+echo.N" format
where N is numeric, rather than accepting any string containing
"+echo.".

@jashwanth-reddy-g jashwanth-reddy-g left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! The implementation looks solid and cleanly integrates into Trivy's vendor detection logic.

I have a couple of minor performance-related suggestions to ensure we keep the scanning overhead as low as possible.

1. Optimize Match with a Fast-Path Check

The Match function is called for every parsed package in the Pip and Maven ecosystems. Trivy can process thousands of packages in a single scan. Using regexp.MatchString directly for every package introduces a performance overhead due to the regex state machine execution.

We can preempt the regex execution with a much faster strings.Contains check, which will short-circuit for the vast majority of non-Echo packages:

import "strings"

// ...

func (echoVendor) Match(eco ecosystem.Type, _, pkgVer string) bool {
	switch eco {
	case ecosystem.Pip, ecosystem.Maven:
		// Fast-path: quickly reject non-Echo versions before invoking the regex
		return strings.Contains(pkgVer, "+echo.") && echoLocalSegmentRe.MatchString(pkgVer)
	default:
		return false
	}
}

2. Avoid fmt.Sprintf in BucketPrefix

BucketPrefix is used frequently during advisory lookups. Using fmt.Sprintf allocates memory and relies on reflection. Since e.Name() is a short static string and eco uses string as its underlying type, direct string concatenation is significantly faster and allocation-friendly:

func (e echoVendor) BucketPrefix(eco ecosystem.Type) string {
	return e.Name() + " " + string(eco) + "::"
}

(If you make this change, you can remove the fmt import entirely).

Otherwise, the tests and implementation look excellent!

@LaizaAngrest

Copy link
Copy Markdown
Author

@gmrnlg1971 Thanks for the review! 🙏

  1. Match fast-path — done. Added the strings.Contains(pkgVer, "+echo.") short-circuit before the regex, so non-Echo packages bail out cheaply.

  2. BucketPrefix (fmt.Sprintf → concat) — I left this one as-is, since BucketPrefix isn't part of this PR's change: it comes from the base PR feat(echo): Support echo language package scanning #10555 (this Maven PR is stacked on it and only adds the ecosystem.Maven case + tests). To keep the diff scoped and avoid a conflict on rebase, this optimization is better to made on feat(echo): Support echo language package scanning #10555 so it lands once for both pip and maven — @orizerah please fix it in your branch 😊

orizerah and others added 3 commits June 28, 2026 11:24
Use direct string concatenation instead of fmt.Sprintf. e.Name() is a
short static string and ecosystem.Type has string as its underlying
type, so concatenation is faster and avoids the allocation/reflection
of a format call on this hot advisory-lookup path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extends the Echo vendor to match Maven packages carrying the +echo.N
suffix. The default Maven comparer already orders +echo.N correctly, so
no custom comparer is needed.

Depends on aquasecurity#10555 (Echo pip language package scanning).

Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
@LaizaAngrest
LaizaAngrest force-pushed the support-echo-maven-package-scanning branch from 01c32a3 to 4700d31 Compare June 28, 2026 09:57
@LaizaAngrest

Copy link
Copy Markdown
Author

@gmrnlg1971
BucketPrefix — @orizerah applied the fmt.Sprintf → concat change in the base PR #10555, and I've rebased on top, so it's in here now too.

npm follows SemVer, which excludes build metadata from precedence, so
the standard npm comparer treats 2.14.2+echo.1 and 2.14.2+echo.2 as
equal and cannot order Echo's successive patched builds. Add an
Echo-aware npm comparer that breaks SemVer ties on the +echo.N build
number: 2.14.2 < 2.14.2+echo.1 < 2.14.2+echo.2 < 2.14.3.

Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
@LaizaAngrest LaizaAngrest changed the title feat(echo): support Echo Maven package scanning feat(echo): support Echo Maven and npm package scanning Jul 2, 2026
@LaizaAngrest

Copy link
Copy Markdown
Author

@gmrnlg1971
Heads-up: expanded this PR to also cover Echo npm packages (same +echo.N convention). Unlike maven, npm couldn't use the default comparer: SemVer excludes build metadata from precedence, so 2.14.2+echo.1 and 2.14.2+echo.2 compare equal — a package at +echo.1 with the fix at +echo.2 would be wrongly reported as fixed. The new npmComparer breaks SemVer ties on the +echo.N build number.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants