google · LaizaAngrest · Jun 18, 2026 · Jun 18, 2026
diff --git a/go/osv/ecosystem/echo.go b/go/osv/ecosystem/echo.go
@@ -21,18 +21,22 @@ import "strings"
 // Echo provides secured packages across multiple ecosystems:
 //   - Echo        - Debian-based packages (dpkg versioning)
 //   - Echo:PyPI   - Python packages (PyPI/PEP 440 versioning)
+//   - Echo:Maven  - Maven packages (Maven versioning)
 //
 // Versioning is delegated to the underlying ecosystem helper.
 type echoEcosystem struct {
 	Ecosystem
 }
 
 func echoFactory(p *Provider, suffix string) Ecosystem {
-	if strings.EqualFold(suffix, "pypi") {
+	switch {
+	case strings.EqualFold(suffix, "pypi"):
 		return echoEcosystem{Ecosystem: pypiEcosystem{p: p}}
+	case strings.EqualFold(suffix, "maven"):
+		return echoEcosystem{Ecosystem: mavenEcosystem{p: p}}
+	default:
+		return echoEcosystem{Ecosystem: dpkgEcosystem{}}
 	}
-
-	return echoEcosystem{Ecosystem: dpkgEcosystem{}}
 }
 
 func (e echoEcosystem) NormalizePackageName(name string) string {

diff --git a/osv/ecosystems/_ecosystems_test.py b/osv/ecosystems/_ecosystems_test.py
@@ -76,6 +76,30 @@ def test_echo_pypi_ecosystem(self):
     self.assertLess(echo_pypi.sort_key('1.0.0rc1'), echo_pypi.sort_key('1.0.0'))
     self.assertLess(echo_pypi.sort_key('1.9'), echo_pypi.sort_key('1.10'))
 
+  def test_echo_maven_ecosystem(self):
+    """Test that Echo:Maven uses Maven version ordering"""
+    self.assertTrue(ecosystems.is_known('Echo:Maven'))
+
+    echo_maven = ecosystems.get('Echo:Maven')
+    self.assertIsNotNone(echo_maven)
+
+    # Maven version ordering
+    self.assertLess(echo_maven.sort_key('1.0.0'), echo_maven.sort_key('1.0.1'))
+    self.assertLess(
+        echo_maven.sort_key('1.0-alpha1'), echo_maven.sort_key('1.0'))
+    self.assertLess(echo_maven.sort_key('1.0-rc1'), echo_maven.sort_key('1.0'))
+    self.assertLess(echo_maven.sort_key('1.9'), echo_maven.sort_key('1.10'))
+    self.assertLess(
+        echo_maven.sort_key('3.1.1'), echo_maven.sort_key('3.1.1+echo.1'))
+    self.assertLess(
+        echo_maven.sort_key('3.1.1+echo.1'),
+        echo_maven.sort_key('3.1.1+echo.2'))
+    self.assertLess(
+        echo_maven.sort_key('3.1.1+echo.2'),
+        echo_maven.sort_key('3.1.1+echo.10'))
+    self.assertLess(
+        echo_maven.sort_key('3.1.1+echo.1'), echo_maven.sort_key('3.1.2'))
+
   def test_echo_base_ecosystem(self):
     """Test that plain Echo uses Debian version ordering"""
     echo = ecosystems.get('Echo')

diff --git a/osv/ecosystems/echo.py b/osv/ecosystems/echo.py
@@ -15,6 +15,7 @@
 
 from .debian import DPKG
 from .ecosystems_base import OrderedEcosystem
+from .maven import Maven
 from .pypi import PyPI
 
 
@@ -24,11 +25,15 @@ class Echo(OrderedEcosystem):
   Echo provides secured packages across multiple ecosystems:
   - Echo        - Debian-based packages (dpkg versioning)
   - Echo:PyPI   - Python packages (PyPI/PEP 440 versioning)
+  - Echo:Maven  - Maven packages (Maven versioning)
   """
 
   def _delegate(self) -> OrderedEcosystem:
-    if self.suffix and self.suffix.lower() == 'pypi':
+    suffix = self.suffix.lower() if self.suffix else ''
+    if suffix == 'pypi':
       return PyPI()
+    if suffix == 'maven':
+      return Maven()
     return DPKG()
 
   def _sort_key(self, version: str):