I'm noticing a bunch of ECHO advisories having CVE records as aliases.
e.g: https://advisory.echohq.com/osv/ECHO-84eb-3f66-73a1.json
{
"id": "ECHO-84eb-3f66-73a1",
"upstream": [
"CVE-2025-10966"
],
"aliases": [
"CVE-2025-10966"
],
"severity": [],
"modified": "2025-11-11T14:00:08.335Z",
"affected": [
{
"package": {
"ecosystem": "Echo",
"name": "curl"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "8.14.1-2+e3"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://advisory.echohq.com/cve/CVE-2025-10966"
}
]
}Per prior discussion, the records should only have CVEs as upstream not aliases.
Comments later in the thread suggests that the data issue was fixed and reimported, so I'm not sure why it is popping up again.
cc: @orizerah
I'm noticing a bunch of ECHO advisories having CVE records as aliases.
e.g: https://advisory.echohq.com/osv/ECHO-84eb-3f66-73a1.json
{ "id": "ECHO-84eb-3f66-73a1", "upstream": [ "CVE-2025-10966" ], "aliases": [ "CVE-2025-10966" ], "severity": [], "modified": "2025-11-11T14:00:08.335Z", "affected": [ { "package": { "ecosystem": "Echo", "name": "curl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.14.1-2+e3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://advisory.echohq.com/cve/CVE-2025-10966" } ] }Per prior discussion, the records should only have CVEs as
upstreamnotaliases.Comments later in the thread suggests that the data issue was fixed and reimported, so I'm not sure why it is popping up again.
cc: @orizerah