Omit patched_versions: if the GHSA has no patched version identifiers. (#664)

postmodern · web-flow · commit c6807c357b64 · 2023-07-01T12:27:42.000-07:00
* Omit `patched_versions:` if the GHSA has no patched version identifiers.
* Also add a `notes: Never patched`.
diff --git a/lib/github_advisory_sync.rb b/lib/github_advisory_sync.rb
@@ -341,7 +341,9 @@ def first_patched_versions_for(package)
       first_patched_versions = []
 
       vulnerabilities.each do |v|
-        if v['package']['name'] == package.name && v['firstPatchedVersion']
+        if v['package']['name'] == package.name &&
+           v['firstPatchedVersion'] &&
+           v['firstPatchedVersion']['identifier']
           first_patched_versions << v['firstPatchedVersion']['identifier']
         end
       end
@@ -353,11 +355,13 @@ def patched_versions_for(package)
       first_patched_versions = first_patched_versions_for(package)
       patched_versions       = []
 
-      first_patched_versions[0..-2].each do |version|
-        patched_versions << "~> #{version}"
-      end
+      if !first_patched_versions.empty?
+        first_patched_versions[0..-2].each do |version|
+          patched_versions << "~> #{version}"
+        end
 
-      patched_versions << ">= #{first_patched_versions.last}"
+        patched_versions << ">= #{first_patched_versions.last}"
+      end
 
       return patched_versions
     end
@@ -371,15 +375,23 @@ def create(package)
         "unaffected_versions" => ["<OPTIONAL: FILL IN SEE BELOW>"]
       )
 
+      patched_versions = patched_versions_for(package)
+
+      if !patched_versions.empty?
+        new_data['patched_versions'] = patched_versions
+      else
+        new_data['notes'] = "Never patched"
+      end
+
+      # populate the related information
+      new_data["related"] = {
+        "url" => advisory["references"]
+      }
+
       FileUtils.mkdir_p(File.dirname(filename_to_write))
       File.open(filename_to_write, "w") do |file|
         # create an automatically generated advisory yaml file
-        file.write new_data.merge(
-          "patched_versions" => patched_versions_for(package),
-          "related" => {
-            "url"  => advisory["references"]
-          }
-        ).to_yaml
+        file.write new_data.to_yaml
 
         # The data we just wrote is incomplete,
         # and therefore should not be committed as is
