From 5325907185160adf71fa8c1039d432052b579f99 Mon Sep 17 00:00:00 2001 From: Laiza Angrest Date: Thu, 18 Jun 2026 11:00:56 +0300 Subject: [PATCH 1/2] feat(echo): Add echo maven support Extends the Echo ecosystem to support Maven versioning semantics via the Echo:Maven suffix, allowing Echo to publish advisories for secured Maven packages without affecting the unrelated upstream Maven ecosystem. Versioning is delegated to the underlying Maven ecosystem helper, mirroring the existing Echo:PyPI handling (#5286). --- go/osv/ecosystem/echo.go | 10 +++++++--- osv/ecosystems/_ecosystems_test.py | 14 ++++++++++++++ osv/ecosystems/echo.py | 7 ++++++- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/go/osv/ecosystem/echo.go b/go/osv/ecosystem/echo.go index 49187529482..2783b0586c6 100644 --- a/go/osv/ecosystem/echo.go +++ b/go/osv/ecosystem/echo.go @@ -21,6 +21,7 @@ import "strings" // Echo provides secured packages across multiple ecosystems: // - Echo - Debian-based packages (dpkg versioning) // - Echo:PyPI - Python packages (PyPI/PEP 440 versioning) +// - Echo:Maven - Maven packages (Maven versioning) // // Versioning is delegated to the underlying ecosystem helper. type echoEcosystem struct { @@ -28,11 +29,14 @@ type echoEcosystem struct { } func echoFactory(p *Provider, suffix string) Ecosystem { - if strings.EqualFold(suffix, "pypi") { + switch { + case strings.EqualFold(suffix, "pypi"): return echoEcosystem{Ecosystem: pypiEcosystem{p: p}} + case strings.EqualFold(suffix, "maven"): + return echoEcosystem{Ecosystem: mavenEcosystem{p: p}} + default: + return echoEcosystem{Ecosystem: dpkgEcosystem{}} } - - return echoEcosystem{Ecosystem: dpkgEcosystem{}} } func (e echoEcosystem) NormalizePackageName(name string) string { diff --git a/osv/ecosystems/_ecosystems_test.py b/osv/ecosystems/_ecosystems_test.py index 9fdbb04759c..f575137e3c0 100644 --- a/osv/ecosystems/_ecosystems_test.py +++ b/osv/ecosystems/_ecosystems_test.py @@ -76,6 +76,20 @@ def test_echo_pypi_ecosystem(self): self.assertLess(echo_pypi.sort_key('1.0.0rc1'), echo_pypi.sort_key('1.0.0')) self.assertLess(echo_pypi.sort_key('1.9'), echo_pypi.sort_key('1.10')) + def test_echo_maven_ecosystem(self): + """Test that Echo:Maven uses Maven version ordering""" + self.assertTrue(ecosystems.is_known('Echo:Maven')) + + echo_maven = ecosystems.get('Echo:Maven') + self.assertIsNotNone(echo_maven) + + # Maven version ordering + self.assertLess(echo_maven.sort_key('1.0.0'), echo_maven.sort_key('1.0.1')) + self.assertLess( + echo_maven.sort_key('1.0-alpha1'), echo_maven.sort_key('1.0')) + self.assertLess(echo_maven.sort_key('1.0-rc1'), echo_maven.sort_key('1.0')) + self.assertLess(echo_maven.sort_key('1.9'), echo_maven.sort_key('1.10')) + def test_echo_base_ecosystem(self): """Test that plain Echo uses Debian version ordering""" echo = ecosystems.get('Echo') diff --git a/osv/ecosystems/echo.py b/osv/ecosystems/echo.py index 7533b676666..f39255c90f3 100644 --- a/osv/ecosystems/echo.py +++ b/osv/ecosystems/echo.py @@ -15,6 +15,7 @@ from .debian import DPKG from .ecosystems_base import OrderedEcosystem +from .maven import Maven from .pypi import PyPI @@ -24,11 +25,15 @@ class Echo(OrderedEcosystem): Echo provides secured packages across multiple ecosystems: - Echo - Debian-based packages (dpkg versioning) - Echo:PyPI - Python packages (PyPI/PEP 440 versioning) + - Echo:Maven - Maven packages (Maven versioning) """ def _delegate(self) -> OrderedEcosystem: - if self.suffix and self.suffix.lower() == 'pypi': + suffix = self.suffix.lower() if self.suffix else '' + if suffix == 'pypi': return PyPI() + if suffix == 'maven': + return Maven() return DPKG() def _sort_key(self, version: str): From ed96d08e252174dcc46471ea0ca84f8062940881 Mon Sep 17 00:00:00 2001 From: Laiza Angrest Date: Thu, 18 Jun 2026 11:13:41 +0300 Subject: [PATCH 2/2] test(echo): cover +echo.N versions tests for Echo:Maven --- osv/ecosystems/_ecosystems_test.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/osv/ecosystems/_ecosystems_test.py b/osv/ecosystems/_ecosystems_test.py index f575137e3c0..257e4464bb7 100644 --- a/osv/ecosystems/_ecosystems_test.py +++ b/osv/ecosystems/_ecosystems_test.py @@ -89,6 +89,16 @@ def test_echo_maven_ecosystem(self): echo_maven.sort_key('1.0-alpha1'), echo_maven.sort_key('1.0')) self.assertLess(echo_maven.sort_key('1.0-rc1'), echo_maven.sort_key('1.0')) self.assertLess(echo_maven.sort_key('1.9'), echo_maven.sort_key('1.10')) + self.assertLess( + echo_maven.sort_key('3.1.1'), echo_maven.sort_key('3.1.1+echo.1')) + self.assertLess( + echo_maven.sort_key('3.1.1+echo.1'), + echo_maven.sort_key('3.1.1+echo.2')) + self.assertLess( + echo_maven.sort_key('3.1.1+echo.2'), + echo_maven.sort_key('3.1.1+echo.10')) + self.assertLess( + echo_maven.sort_key('3.1.1+echo.1'), echo_maven.sort_key('3.1.2')) def test_echo_base_ecosystem(self): """Test that plain Echo uses Debian version ordering"""