From 8fa784bcbe352954f1f53a17608f77c6c905e6c8 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Thu, 29 Jun 2023 16:11:08 -0700
Subject: [PATCH 1/3] Omit `patched_versions:` if the GHSA has no patched
 version identifiers.

* Also add a `notes: Never patched`.
---
 lib/github_advisory_sync.rb | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/lib/github_advisory_sync.rb b/lib/github_advisory_sync.rb
index ebc10d2bf8..b216a814cf 100644
--- a/lib/github_advisory_sync.rb
+++ b/lib/github_advisory_sync.rb
@@ -371,15 +371,23 @@ def create(package)
         "unaffected_versions" => ["<OPTIONAL: FILL IN SEE BELOW>"]
       )
 
+      patched_versions = patched_versions_for(package)
+
+      if !patched_versions.empty?
+        new_data['patched_versions'] = patched_versions
+      else
+        new_data['notes'] = "Never patched"
+      end
+
+      # populate the related information
+      new_data["related"] = {
+        "url" => advisory["references"]
+      }
+
       FileUtils.mkdir_p(File.dirname(filename_to_write))
       File.open(filename_to_write, "w") do |file|
         # create an automatically generated advisory yaml file
-        file.write new_data.merge(
-          "patched_versions" => patched_versions_for(package),
-          "related" => {
-            "url"  => advisory["references"]
-          }
-        ).to_yaml
+        file.write new_data.to_yaml
 
         # The data we just wrote is incomplete,
         # and therefore should not be committed as is

From 90f8caa6752ec38c6febb81f34ce571a56306aa2 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Thu, 29 Jun 2023 18:40:29 -0700
Subject: [PATCH 2/3] Also check if the `identifier` key is set.

---
 lib/github_advisory_sync.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/github_advisory_sync.rb b/lib/github_advisory_sync.rb
index b216a814cf..019b42b375 100644
--- a/lib/github_advisory_sync.rb
+++ b/lib/github_advisory_sync.rb
@@ -341,7 +341,9 @@ def first_patched_versions_for(package)
       first_patched_versions = []
 
       vulnerabilities.each do |v|
-        if v['package']['name'] == package.name && v['firstPatchedVersion']
+        if v['package']['name'] == package.name &&
+           v['firstPatchedVersion'] &&
+           v['firstPatchedVersion']['identifier']
           first_patched_versions << v['firstPatchedVersion']['identifier']
         end
       end

From 2fee9333d7d02158a9483b482a85adf9568cd98e Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Fri, 30 Jun 2023 16:45:31 -0700
Subject: [PATCH 3/3] Guard against when ``first_patched_versions_for` returns
 an empty Array.

---
 lib/github_advisory_sync.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/github_advisory_sync.rb b/lib/github_advisory_sync.rb
index 019b42b375..04af518a98 100644
--- a/lib/github_advisory_sync.rb
+++ b/lib/github_advisory_sync.rb
@@ -355,11 +355,13 @@ def patched_versions_for(package)
       first_patched_versions = first_patched_versions_for(package)
       patched_versions       = []
 
-      first_patched_versions[0..-2].each do |version|
-        patched_versions << "~> #{version}"
-      end
+      if !first_patched_versions.empty?
+        first_patched_versions[0..-2].each do |version|
+          patched_versions << "~> #{version}"
+        end
 
-      patched_versions << ">= #{first_patched_versions.last}"
+        patched_versions << ">= #{first_patched_versions.last}"
+      end
 
       return patched_versions
     end