Add sensible defaults to the OSV evaluator to allow running without a…

…ny configuration Configuring the OSV evaluator is a bit of a PITA, but at the same time, the configuration is normally not really needed for public projects as they would all use the same OSV instance and the same package databases. Let's just hardcode sensible defaults so that profiles can be leaner and UIs don't have to ask users to input all this data.
stacklok · Apr 11, 2024 · 8c51e13 · 8c51e13
1 parent 6e21fc0
commit 8c51e13
Showing 1 changed file with 37 additions and 3 deletions.
diff --git a/internal/engine/eval/vulncheck/config.go b/internal/engine/eval/vulncheck/config.go
@@ -16,7 +16,6 @@
 package vulncheck
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 
@@ -53,9 +52,44 @@ type config struct {
 	EcosystemConfig []ecosystemConfig `json:"ecosystem_config" mapstructure:"ecosystem_config" validate:"required"`
 }
 
+func defaultConfig() *config {
+	return &config{
+		Action: pr_actions.ActionReviewPr,
+		EcosystemConfig: []ecosystemConfig{
+			{
+				Name:       "npm",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://registry.npmjs.org",
+				},
+			},
+			{
+				Name:       "pypi",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://pypi.org/pypi",
+				},
+			},
+			{
+				Name:       "go",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://proxy.golang.org",
+				},
+				SumRepository: packageRepository{
+					Url: "https://sum.golang.org",
+				},
+			},
+		},
+	}
+}
+
 func parseConfig(ruleCfg map[string]any) (*config, error) {
-	if ruleCfg == nil {
-		return nil, errors.New("config was missing")
+	if len(ruleCfg) == 0 {
+		return defaultConfig(), nil
 	}
 
 	var conf config