Add sensible defaults to the OSV evaluator to allow running without a…

…ny configuration (#3053) Configuring the OSV evaluator is a bit of a PITA, but at the same time, the configuration is normally not really needed for public projects as they would all use the same OSV instance and the same package databases. Let's just hardcode sensible defaults so that profiles can be leaner and UIs don't have to ask users to input all this data.
stacklok · Apr 12, 2024 · 9187f96 · 9187f96
1 parent f8f0507
commit 9187f96
Showing 1 changed file with 37 additions and 3 deletions.
diff --git a/internal/engine/eval/vulncheck/config.go b/internal/engine/eval/vulncheck/config.go
@@ -16,7 +16,6 @@
 package vulncheck
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 
@@ -53,9 +52,44 @@ type config struct {
 	EcosystemConfig []ecosystemConfig `json:"ecosystem_config" mapstructure:"ecosystem_config" validate:"required"`
 }
 
+func defaultConfig() *config {
+	return &config{
+		Action: pr_actions.ActionReviewPr,
+		EcosystemConfig: []ecosystemConfig{
+			{
+				Name:       "npm",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://registry.npmjs.org",
+				},
+			},
+			{
+				Name:       "pypi",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://pypi.org/pypi",
+				},
+			},
+			{
+				Name:       "go",
+				DbType:     vulnDbTypeOsv,
+				DbEndpoint: "https://api.osv.dev/v1/query",
+				PackageRepository: packageRepository{
+					Url: "https://proxy.golang.org",
+				},
+				SumRepository: packageRepository{
+					Url: "https://sum.golang.org",
+				},
+			},
+		},
+	}
+}
+
 func parseConfig(ruleCfg map[string]any) (*config, error) {
-	if ruleCfg == nil {
-		return nil, errors.New("config was missing")
+	if len(ruleCfg) == 0 {
+		return defaultConfig(), nil
 	}
 
 	var conf config