[Pre537] Automate patched_versions conversion from GHSA to ruby-advisory-db

[jasnow]

Automate patched_versions conversion from GHSA to ruby-advisory-db.

• Yes, PR/641 is part of this.
• NOTE: Trailing comments are not a requirement on patched_version: line, such as:
  • "~> 5.2.8, >= 5.2.8.15" # Rails LTS
• Will focus of 2023 needs first.
• May need multiple steps to implement this feature.
• You can find the grammar for this field in ruby-advisory-db/spec/advisory_example.rb file.

[postmodern]

There isn't an easy way to parse and preserve the additional YAML comments. That would require using YAML.parse which returns a raw node tree of the YAML data, which is much harder to work with, merging in the new data and dumping the YAML nodes back out to the file.

An alternative approach would be to use an ERB template to render the advisory file, and properly format all YAML data. It might also be a good idea to create a separate Advisory class which represents the contents of the YAML file that could be used for loading the data and rendering the output. This might also require pulling in additional libraries to handle word-wrapping.

[jasnow]

patched_version and unaffected_versions Use Cases for Testing:

• https://gist.github.com/jasnow/7c99f4d9e8b838293ba407af373141af

[jasnow]

664 provide automated patched_versions creation in lib/github_advisory_sync.rb script so I'm go to close this issue.

If additional items come up in the future, we can open new issues/PRs for them.