add missing cvss_v3 scores during github sync

Author: skipkayhil

lib/github_advisory_sync.rb

@@ -226,7 +226,7 @@ def withdrawn?
     end
 
     def cvss
-      return "<FILL IN IF AVAILABLE>" if advisory["cvss"]["vectorString"].nil?
+      return if advisory["cvss"]["vectorString"].nil?
 
       advisory["cvss"]["score"].to_f
     end
@@ -245,12 +245,32 @@ def rubysec_filename
       File.join("gems", package_name, "#{primary_id}.yml")
     end
 
-    def rubysec_file_does_not_exist?
-      !File.exist?(rubysec_filename)
+    def update_file
+      saved_data = YAML.load_file(rubysec_filename)
+
+      return if saved_data.key?("cvss_v3") || cvss.nil?
+
+      cvss_added = false
+      File.open("#{rubysec_filename}.tmp", "w") do |f| 
+        IO.foreach(rubysec_filename) do |line|
+          if (line.include?('unaffected_versions:') || line.include?('patched_versions:')) && !cvss_added
+            f.write("cvss_v3: #{cvss}\n\n")
+              cvss_added = true
+          end
+          f.write(line)
+        end
+      end
+
+      File.delete(rubysec_filename)
+      File.rename("#{rubysec_filename}.tmp", rubysec_filename)
+
+      puts "Updated: #{rubysec_filename}"
+
+      rubysec_filename
     end
 
     def write_file
-      return unless rubysec_file_does_not_exist?
+      return update_file if File.exist?(rubysec_filename)
 
       data = {
         "gem" => package_name,
@@ -264,6 +284,7 @@ def write_file
         "unaffected_versions" => ["<OPTIONAL: FILL IN SEE BELOW>"]
       }
       data["cve"] = cve_id[4..20] if cve_id
+      data["cvss_v3"] = "<FILL IN IF AVAILABLE>" if cvss.nil?
 
       dir_to_write = File.dirname(rubysec_filename)
       Dir.mkdir dir_to_write unless Dir.exist?(dir_to_write)