fix(api): remove all purl ecosystem validation (#2964)

We didn't have any PURL ecosystem validation until [PR 2900](#2900) was merged. [PR 2900](#2900) introduced some [breaking changes](#2960 (comment)) that affect users querying ecosystems for which we currently lack a PURL converter, especially those not specified in the PURL specification. This PR changes the response from a 400 error code to a 200 status code with an empty response unblock users. A more considered design will be discussed later with the team and implemented.
google · Dec 5, 2024 · 402f47d · 402f47d
1 parent 257b51f
commit 402f47d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/gcp/api/integration_tests.py b/gcp/api/integration_tests.py
@@ -422,10 +422,7 @@ def test_query_unknown_purl_invalid_semver(self):
         }),
         timeout=_TIMEOUT)
 
-    self.assert_results_equal({
-        'code': 3,
-        'message': 'Unknown PURL ecosystem.'
-    }, response.json())
+    self.assert_results_equal({}, response.json())
 
   def test_query_semver_no_vulns(self):
     """Test queries by SemVer with no vulnerabilities."""

diff --git a/gcp/api/server.py b/gcp/api/server.py
@@ -735,8 +735,13 @@ def do_query(query: osv_service_v1_pb2.Query,
       )
 
     if purl is None:
-      context.service_context.abort(grpc.StatusCode.INVALID_ARGUMENT,
-                                    'Unknown PURL ecosystem.')
+      # TODO(gongh@): Previously, we didn't perform any PURL validation.
+      # All unsupported PURL queries would simply return a 200
+      # status code with an empty response.
+      # To avoid breaking existing behavior,
+      # we return an empty response here with no error.
+      # This needs to be revisited with a more considerate design.
+      return [], None
 
     if package_name:  # Purls already include the package name
       context.service_context.abort(

diff --git a/osv/purl_helpers.py b/osv/purl_helpers.py
@@ -36,7 +36,7 @@
     'Debian': EcosystemPURL('deb', 'debian'),
     # GHC
     # GIT
-    'GitHub Actions': EcosystemPURL('github', None),
+    # GitHub Actions
     'Go': EcosystemPURL('golang', None),
     'Hackage': EcosystemPURL('hackage', None),
     'Hex': EcosystemPURL('hex', None),
@@ -138,6 +138,6 @@ def parse_purl(purl_str: str) -> ParsedPURL | None:
   elif purl.type == 'maven' and purl.namespace:
     package = purl.namespace + ':' + purl.name
   else:
-    raise ValueError('Invalid ecosystem.')
+    return None
 
   return ParsedPURL(ecosystem, package, version)