diff --git a/lib/github_advisory_sync.rb b/lib/github_advisory_sync.rb index ebc10d2bf8..04af518a98 100644 --- a/lib/github_advisory_sync.rb +++ b/lib/github_advisory_sync.rb @@ -341,7 +341,9 @@ def first_patched_versions_for(package) first_patched_versions = [] vulnerabilities.each do |v| - if v['package']['name'] == package.name && v['firstPatchedVersion'] + if v['package']['name'] == package.name && + v['firstPatchedVersion'] && + v['firstPatchedVersion']['identifier'] first_patched_versions << v['firstPatchedVersion']['identifier'] end end @@ -353,11 +355,13 @@ def patched_versions_for(package) first_patched_versions = first_patched_versions_for(package) patched_versions = [] - first_patched_versions[0..-2].each do |version| - patched_versions << "~> #{version}" - end + if !first_patched_versions.empty? + first_patched_versions[0..-2].each do |version| + patched_versions << "~> #{version}" + end - patched_versions << ">= #{first_patched_versions.last}" + patched_versions << ">= #{first_patched_versions.last}" + end return patched_versions end @@ -371,15 +375,23 @@ def create(package) "unaffected_versions" => [""] ) + patched_versions = patched_versions_for(package) + + if !patched_versions.empty? + new_data['patched_versions'] = patched_versions + else + new_data['notes'] = "Never patched" + end + + # populate the related information + new_data["related"] = { + "url" => advisory["references"] + } + FileUtils.mkdir_p(File.dirname(filename_to_write)) File.open(filename_to_write, "w") do |file| # create an automatically generated advisory yaml file - file.write new_data.merge( - "patched_versions" => patched_versions_for(package), - "related" => { - "url" => advisory["references"] - } - ).to_yaml + file.write new_data.to_yaml # The data we just wrote is incomplete, # and therefore should not be committed as is