feat: allow the sync task to run for just a single gem (#527)

Author: flavorjones

README.md

@@ -100,11 +100,18 @@ The GitHub Advisory API requires a token to access it.
 - It can be a completely scopeless token (recommended); it does not require any permissions at all.
 - Get yours at https://github.com/settings/tokens
 
-To run the GitHub Advisory sync, start by executing the rake task:
+To run the GitHub Advisory sync to retrieve all advisories, start by executing the rake task:
+
 ```
 GH_API_TOKEN=<your GitHub API Token> bundle exec rake sync_github_advisories
 ```
 
+Or, to only retrieve advisories for a single gem:
+
+```
+GH_API_TOKEN=<your GitHub API Token> bundle exec rake sync_github_advisories[gem_name]
+```
+
 - The rake task will write yaml files for any missing advisories.
 - Those files must be further edited.
   - Fill in `cvss_v3` field by following the CVE link and getting it from page

Rakefile

@@ -13,9 +13,9 @@ namespace :lint do
 end
 
 desc "Sync GitHub RubyGem Advisories into this project"
-task :sync_github_advisories do
+task :sync_github_advisories, [:gem_name] do |_, args|
   require_relative "lib/github_advisory_sync"
-  GitHub::GitHubAdvisorySync.sync
+  GitHub::GitHubAdvisorySync.sync(gem_name: args[:gem_name])
 end
 
 task :lint    => ['lint:yaml']

lib/github_advisory_sync.rb

@@ -15,8 +15,8 @@ class GitHubAdvisorySync
     # The min_year argument specifies the earliest year CVE to sync.
     # It is more important to sync the newer ones, so this allows the user to
     # control how old of CVEs the sync should pull over
-    def self.sync(min_year: 2015)
-      gh_advisories = GraphQLAPIClient.new.all_rubygem_advisories
+    def self.sync(min_year: 2015, gem_name: nil)
+      gh_advisories = GraphQLAPIClient.new.all_rubygem_advisories(gem_name: gem_name)
 
       # Filter out advisories with a CVE year that is before the min_year
       gh_advisories.select! { |v| v.cve_after_year?(min_year) }
@@ -89,10 +89,10 @@ def github_graphql_query(graphql_query_name, graphql_variables = {})
       body_obj
     end
 
-    def all_rubygem_advisories
+    def all_rubygem_advisories(gem_name: nil)
       advisories = {}
 
-      retrieve_all_rubygem_vulnerabilities.each do |vulnerability|
+      retrieve_all_rubygem_vulnerabilities(gem_name: gem_name).each do |vulnerability|
         advisory = GitHubAdvisory.new(vulnerability["advisory"])
 
         next if advisory.withdrawn?
@@ -105,9 +105,9 @@ def all_rubygem_advisories
       advisories.values
     end
 
-    def retrieve_all_rubygem_vulnerabilities(max_pages = 1000, page_size = 100)
+    def retrieve_all_rubygem_vulnerabilities(max_pages = 1000, page_size = 100, gem_name: nil)
       all_vulnerabilities = []
-      variables = { "first" => page_size }
+      variables = { "first" => page_size, "gem_name" => gem_name }
       max_pages.times do |page_num|
         puts "Getting page #{page_num + 1} of GitHub Vulnerabilities"
 
@@ -126,8 +126,8 @@ def retrieve_all_rubygem_vulnerabilities(max_pages = 1000, page_size = 100)
 
     module GraphQLQueries
       RUBYGEM_VULNERABILITIES_WITH_GITHUB_ADVISORIES = <<-GRAPHQL.freeze
-        query($first: Int, $after: String) {
-          securityVulnerabilities(first: $first, after: $after, ecosystem:RUBYGEMS) {
+        query($first: Int, $after: String, $gem_name: String) {
+          securityVulnerabilities(first: $first, after: $after, ecosystem:RUBYGEMS, package: $gem_name) {
             pageInfo {
               endCursor
               hasNextPage