add echo ecosystem

orizerah · orizerah · commit 67f88a4a04b3 · 2025-08-07T17:21:14.000+03:00
diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ This format is currently exported by:
 - [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
 - [Chainguard](https://packages.cgr.dev/chainguard/osv/all.json)
 - [Curl](https://curl.se/docs/vuln.json)
+- [Echo](https://advisory.echohq.com/osv/all.json)
 - [GitHub Security Advisories](https://github.com/github/advisory-database)
 - [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
 - [Go Vulnerability Database](https://github.com/golang/vulndb)
diff --git a/bindings/go/osvschema/constants.go b/bindings/go/osvschema/constants.go
@@ -17,6 +17,7 @@ const (
 	EcosystemCRAN                       Ecosystem = "CRAN"
 	EcosystemCratesIO                   Ecosystem = "crates.io"
 	EcosystemDebian                     Ecosystem = "Debian"
+	EcosystemEcho                       Ecosystem = "Echo"
 	EcosystemGHC                        Ecosystem = "GHC"
 	EcosystemGitHubActions              Ecosystem = "GitHub Actions"
 	EcosystemGo                         Ecosystem = "Go"
diff --git a/docs/schema.md b/docs/schema.md
@@ -245,6 +245,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+    <td><code>ECHO</code></td>
+      <td><a href="https://advisory.echohq.com/osv/all.json">Echo Security Advisory Database</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: TBD</li>
+          <li>Source URL: TBD</li>
+          <li>OSV Formatted URL: <code>https://advisory.echohq.com/osv/&lt;ID&gt;.json</code></li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td><code>ELA</code></td>
       <td><a href="https://www.freexian.com/lts/extended/">Debian Extended LTS Security Advisories (provided by Freexian)</a></td>
@@ -789,6 +800,7 @@ The defined ecosystems are:
 | `CRAN` | The R package ecosystem. The `name` is an R package name. |
 | `crates.io` | The crates.io ecosystem for Rust; the `name` field is a crate name. |
 | `Debian` | The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string "Debian:7" refers to the Debian 7 (wheezy) release. |
+| `Echo` | The Echo package ecosystem; the `name` is the name of the source package. |
 | `GHC` | The Haskell compiler ecosystem. The `name` field is the name of a component of the GHC compiler ecosystem (e.g., compiler, GHCI, RTS). |
 | `GitHub Actions` | The GitHub Actions ecosystem; the `name` field is the action's repository name with owner e.g. `{owner}/{repo}`. |
 | `Go` | The Go ecosystem; the `name` field is a Go module path. |
diff --git a/ecosystems.json b/ecosystems.json
@@ -11,6 +11,7 @@
   "CRAN": "The R package ecosystem. The `name` is an R package name.",
   "crates.io": "The crates.io ecosystem for Rust; the `name` field is a crate name.",
   "Debian": "The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string \"Debian:7\" refers to the Debian 7 (wheezy) release.",
+  "Echo": "The Echo package ecosystem; the `name` is the name of the source package.",
   "GHC": "The Haskell compiler ecosystem. The `name` field is the name of a component of the GHC compiler ecosystem (e.g., compiler, GHCI, RTS).",
   "GitHub Actions": "The GitHub Actions ecosystem; the `name` field is the action's repository name with owner e.g. `{owner}/{repo}`.",
   "Go": "The Go ecosystem; the `name` field is a Go module path.",
diff --git a/validation/schema.json b/validation/schema.json
@@ -21,10 +21,7 @@
       "$ref": "#/$defs/timestamp"
     },
     "aliases": {
-      "type": [
-        "array",
-        "null"
-      ],
+      "type": ["array", "null"],
       "items": {
         "type": "string"
       }
@@ -51,10 +48,7 @@
       "$ref": "#/$defs/severity"
     },
     "affected": {
-      "type": [
-        "array",
-        "null"
-      ],
+      "type": ["array", "null"],
       "items": {
         "type": "object",
         "properties": {
@@ -71,10 +65,7 @@
                 "type": "string"
               }
             },
-            "required": [
-              "ecosystem",
-              "name"
-            ]
+            "required": ["ecosystem", "name"]
           },
           "severity": {
             "$ref": "#/$defs/severity"
@@ -86,11 +77,7 @@
               "properties": {
                 "type": {
                   "type": "string",
-                  "enum": [
-                    "GIT",
-                    "SEMVER",
-                    "ECOSYSTEM"
-                  ]
+                  "enum": ["GIT", "SEMVER", "ECOSYSTEM"]
                 },
                 "repo": {
                   "type": "string"
@@ -99,9 +86,7 @@
                   "title": "events must contain an introduced object and may contain fixed, last_affected or limit objects",
                   "type": "array",
                   "contains": {
-                    "required": [
-                      "introduced"
-                    ]
+                    "required": ["introduced"]
                   },
                   "items": {
                     "type": "object",
@@ -113,9 +98,7 @@
                             "type": "string"
                           }
                         },
-                        "required": [
-                          "introduced"
-                        ]
+                        "required": ["introduced"]
                       },
                       {
                         "type": "object",
@@ -124,9 +107,7 @@
                             "type": "string"
                           }
                         },
-                        "required": [
-                          "fixed"
-                        ]
+                        "required": ["fixed"]
                       },
                       {
                         "type": "object",
@@ -135,9 +116,7 @@
                             "type": "string"
                           }
                         },
-                        "required": [
-                          "last_affected"
-                        ]
+                        "required": ["last_affected"]
                       },
                       {
                         "type": "object",
@@ -146,9 +125,7 @@
                             "type": "string"
                           }
                         },
-                        "required": [
-                          "limit"
-                        ]
+                        "required": ["limit"]
                       }
                     ]
                   },
@@ -169,9 +146,7 @@
                     }
                   },
                   "then": {
-                    "required": [
-                      "repo"
-                    ]
+                    "required": ["repo"]
                   }
                 },
                 {
@@ -180,9 +155,7 @@
                     "properties": {
                       "events": {
                         "contains": {
-                          "required": [
-                            "last_affected"
-                          ]
+                          "required": ["last_affected"]
                         }
                       }
                     }
@@ -192,20 +165,15 @@
                       "properties": {
                         "events": {
                           "contains": {
-                            "required": [
-                              "fixed"
-                            ]
+                            "required": ["fixed"]
                           }
                         }
                       }
                     }
                   }
                 }
               ],
-              "required": [
-                "type",
-                "events"
-              ]
+              "required": ["type", "events"]
             }
           },
           "versions": {
@@ -224,10 +192,7 @@
       }
     },
     "references": {
-      "type": [
-        "array",
-        "null"
-      ],
+      "type": ["array", "null"],
       "items": {
         "type": "object",
         "properties": {
@@ -252,10 +217,7 @@
             "format": "uri"
           }
         },
-        "required": [
-          "type",
-          "url"
-        ]
+        "required": ["type", "url"]
       }
     },
     "credits": {
@@ -288,25 +250,18 @@
             ]
           }
         },
-        "required": [
-          "name"
-        ]
+        "required": ["name"]
       }
     },
     "database_specific": {
       "type": "object"
     }
   },
-  "required": [
-    "id",
-    "modified"
-  ],
+  "required": ["id", "modified"],
   "allOf": [
     {
       "if": {
-        "required": [
-          "severity"
-        ]
+        "required": ["severity"]
       },
       "then": {
         "properties": {
@@ -341,6 +296,7 @@
         "CRAN",
         "crates.io",
         "Debian",
+        "Echo",
         "GHC",
         "GitHub Actions",
         "Go",
@@ -377,7 +333,7 @@
       "type": "string",
       "title": "Currently supported ecosystems",
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
-      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
+      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|Echo|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
     },
     "prefix": {
       "type": "string",
@@ -386,21 +342,13 @@
       "pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DSA|DLA|ELA|DTSA|GHSA|GO|GSD|HSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
     },
     "severity": {
-      "type": [
-        "array",
-        "null"
-      ],
+      "type": ["array", "null"],
       "items": {
         "type": "object",
         "properties": {
           "type": {
             "type": "string",
-            "enum": [
-              "CVSS_V2",
-              "CVSS_V3",
-              "CVSS_V4",
-              "Ubuntu"
-            ]
+            "enum": ["CVSS_V2", "CVSS_V3", "CVSS_V4", "Ubuntu"]
           },
           "score": {
             "type": "string"
@@ -466,22 +414,13 @@
             "then": {
               "properties": {
                 "score": {
-                  "enum": [
-                    "negligible",
-                    "low",
-                    "medium",
-                    "high",
-                    "critical"
-                  ]
+                  "enum": ["negligible", "low", "medium", "high", "critical"]
                 }
               }
             }
           }
         ],
-        "required": [
-          "type",
-          "score"
-        ]
+        "required": ["type", "score"]
       }
     },
     "timestamp": {
