Skip to content

Commit 31c46fe

Browse files
committed
feat(echo): support Echo Maven package scanning
Extends the Echo vendor to match Maven packages carrying the +echo.N suffix. The default Maven comparer already orders +echo.N correctly, so no custom comparer is needed. Depends on #10555 (Echo pip language package scanning). Signed-off-by: Laiza Angrest <laiza.angrest@echo.ai>
1 parent 9578890 commit 31c46fe

5 files changed

Lines changed: 72 additions & 13 deletions

File tree

pkg/detector/library/driver_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -392,6 +392,31 @@ func TestDriver_Detect(t *testing.T) {
392392
},
393393
},
394394
},
395+
{
396+
name: "echo maven package",
397+
fixtures: []string{
398+
"testdata/fixtures/echo.yaml",
399+
"testdata/fixtures/data-source.yaml",
400+
},
401+
libType: ftypes.Jar,
402+
args: args{
403+
pkgName: "org.apache.commons:commons-lang3",
404+
pkgVer: "3.14.0+echo.1",
405+
},
406+
want: []types.DetectedVulnerability{
407+
{
408+
VulnerabilityID: "CVE-2024-88888",
409+
PkgName: "org.apache.commons:commons-lang3",
410+
InstalledVersion: "3.14.0+echo.1",
411+
FixedVersion: "3.14.0+echo.999",
412+
DataSource: &dbTypes.DataSource{
413+
ID: "echo-osv",
414+
Name: "Echo OSV",
415+
URL: "https://advisory.echohq.com/osv",
416+
},
417+
},
418+
},
419+
},
395420
}
396421
for _, tt := range tests {
397422
t.Run(tt.name, func(t *testing.T) {

pkg/detector/library/echo/echo.go

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,9 @@ import (
1010
"github.com/aquasecurity/trivy/pkg/detector/library/compare/pep440"
1111
)
1212

13-
// echoLocalSegmentRe matches the Echo-specific PEP 440 local version segment,
14-
// e.g. "+echo.1" in "2.14.2+echo.1".
13+
// echoLocalSegmentRe matches the Echo-specific version segment "+echo.N",
14+
// e.g. "+echo.1" in "2.14.2+echo.1". This appears both as a PEP 440 local
15+
// version (pip) and as a Maven build suffix (maven).
1516
var echoLocalSegmentRe = regexp.MustCompile(`\+echo\.\d+`)
1617

1718
func init() {
@@ -20,10 +21,10 @@ func init() {
2021
})
2122
}
2223

23-
// echoVendor matches pip packages patched by Echo.
24-
// Echo provides patched versions of Python packages with their own vulnerability
25-
// advisories. Their packages are identified by a PEP 440 local version suffix
26-
// of the form "+echo.N" (e.g. "2.14.2+echo.1").
24+
// echoVendor matches language packages patched by Echo.
25+
// Echo provides patched versions of Python (pip) and Java (maven) packages with
26+
// their own vulnerability advisories. Their packages are identified by a version
27+
// suffix of the form "+echo.N" (e.g. "2.14.2+echo.1").
2728
type echoVendor struct {
2829
pipComparer compare.Comparer
2930
}
@@ -35,12 +36,15 @@ func (echoVendor) Name() string {
3536
// Match determines whether a package is provided by Echo.
3637
// It expects a normalized package name (see vulnerability.NormalizePkgName).
3738
// Echo packages are identified by a "+echo.N" segment in the version string,
38-
// where N is a numeric revision (e.g. "2.14.2+echo.1").
39+
// where N is a numeric revision (e.g. "2.14.2+echo.1"). Echo patches both
40+
// Python (pip) and Java (maven) packages using this same suffix convention.
3941
func (echoVendor) Match(eco ecosystem.Type, _, pkgVer string) bool {
40-
if eco != ecosystem.Pip {
42+
switch eco {
43+
case ecosystem.Pip, ecosystem.Maven:
44+
return echoLocalSegmentRe.MatchString(pkgVer)
45+
default:
4146
return false
4247
}
43-
return echoLocalSegmentRe.MatchString(pkgVer)
4448
}
4549

4650
// BucketPrefix returns the vendor-specific advisory bucket prefix.
@@ -49,9 +53,10 @@ func (e echoVendor) BucketPrefix(eco ecosystem.Type) string {
4953
}
5054

5155
// Comparer returns a version comparer for the given ecosystem.
52-
// For pip (Python), it enables local version specifiers to correctly handle
53-
// Echo version suffixes (e.g. "2.14.2+echo.1").
54-
// For other ecosystems, it returns the default comparer unchanged.
56+
// For pip (Python), it enables local version specifiers so PEP 440 ordering
57+
// keeps the Echo suffix (e.g. "2.14.2+echo.1") instead of discarding it.
58+
// For maven (and other ecosystems) the default comparer already orders the
59+
// "+echo.N" suffix correctly, so it is returned unchanged.
5560
func (e echoVendor) Comparer(eco ecosystem.Type, defaultComparer compare.Comparer) compare.Comparer {
5661
if eco == ecosystem.Pip {
5762
return e.pipComparer

pkg/detector/library/echo/echo_test.go

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,10 +66,24 @@ func TestEchoVendor_Match(t *testing.T) {
6666
want: false,
6767
},
6868
{
69-
name: "maven package is not supported",
69+
name: "maven package with +echo.1 suffix",
7070
eco: ecosystem.Maven,
7171
pkgName: "org.apache.logging.log4j:log4j-core",
7272
pkgVer: "2.13.3+echo.1",
73+
want: true,
74+
},
75+
{
76+
name: "maven package with +echo.999 suffix",
77+
eco: ecosystem.Maven,
78+
pkgName: "org.apache.commons:commons-lang3",
79+
pkgVer: "3.14.0+echo.999",
80+
want: true,
81+
},
82+
{
83+
name: "maven package without echo suffix",
84+
eco: ecosystem.Maven,
85+
pkgName: "org.apache.commons:commons-lang3",
86+
pkgVer: "3.14.0",
7387
want: false,
7488
},
7589
{

pkg/detector/library/testdata/fixtures/data-source.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,3 +65,8 @@
6565
ID: "echo-osv"
6666
Name: "Echo OSV"
6767
URL: "https://advisory.echohq.com/osv"
68+
- key: "echo maven::Echo OSV"
69+
value:
70+
ID: "echo-osv"
71+
Name: "Echo OSV"
72+
URL: "https://advisory.echohq.com/osv"

pkg/detector/library/testdata/fixtures/echo.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,13 @@
88
- "2.14.2+echo.999"
99
VulnerableVersions:
1010
- ">= 2.14.2+echo.1, < 2.14.2+echo.999"
11+
- bucket: "echo maven::Echo OSV"
12+
pairs:
13+
- bucket: "org.apache.commons:commons-lang3"
14+
pairs:
15+
- key: CVE-2024-88888
16+
value:
17+
PatchedVersions:
18+
- "3.14.0+echo.999"
19+
VulnerableVersions:
20+
- ">= 3.14.0+echo.1, < 3.14.0+echo.999"

0 commit comments

Comments
 (0)