maven
An Apache build automation and dependency management tool for JVM projects, driving the standard compile, test, package, install, and deploy lifecycle from a declarative pom.xml.
What is Maven?
The maven image bundles Apache Maven with a JDK so you can build Java projects in containers without installing Maven and Java on the host. It's the canonical choice for building Maven-based JVM applications (Spring Boot, Quarkus, Jakarta EE) inside CI/CD pipelines and multi-stage Dockerfiles. The image follows the standard Maven layout: it picks up your `pom.xml` and runs the lifecycle (`compile`, `test`, `package`).
What is Echo's Maven image?
Echo's maven image is a hardened build of Maven on Echo's hardened JDK and base. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your app. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For multi-stage builds, the default variant is the build stage and Echo's eclipse-temurin-jre image is the runtime stage - both are hardened.
What is the difference between Echo's Maven image and the public Maven image?
Public maven images include a JDK plus broad OS tooling, which is useful but contributes substantial CVE counts that scanners flag on every CI run. Echo's image is reduced to what Maven and `mvn package` actually require, removing CVEs without changing the build process. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my maven image with Echo's maven image?
Yes. Echo's maven image is a drop-in replacement. Update the FROM line in your Dockerfile (or the image reference in your manifests) and your application keeps working - the CVEs disappear, the behavior doesn't.
Is Echo's maven image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use - unlike FIPS-compliant images that haven't been validated.
What is Echo's vulnerability management SLA on the maven image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version.
Is Echo's maven image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells.
How does Echo achieve such a drastic CVE reduction in maven?
Echo maven is built from source with only the absolute essentials needed to run the workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the version that works for you without forcing a functional change for the sake of security.
Will Echo's maven image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP - managing vulnerabilities, applying fixes, and using FIPS-validated cryptography - are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting.
.avif)
