ingest withdrawn status of advisories from GitHub

src/GitHubVulnerabilities2Db/Collector/AdvisoryQueryBuilder.cs

@@ -23,6 +23,7 @@ public string CreateSecurityAdvisoriesQuery(DateTimeOffset? updatedSince = null,
         databaseId
         permalink
         severity
+        withdrawnAt
         updatedAt
         " + CreateVulnerabilitiesConnectionQuery() + @"
       }

src/GitHubVulnerabilities2Db/Collector/AdvisoryQueryService.cs

@@ -77,7 +77,9 @@ private SecurityAdvisory MergeAdvisories(SecurityAdvisory advisory, SecurityAdvi
             nextAdvisory.Vulnerabilities.Edges = advisory.Vulnerabilities.Edges.Concat(
                 nextAdvisory.Vulnerabilities.Edges ?? Enumerable.Empty<Edge<SecurityVulnerability>>());
             // We are not querying the advisories feed at this time so we do not want to advance the advisory cursor past what it was originally.
+            // We also want to ensure a withdrawn advisory affects all vulnerabilities it comprises
             nextAdvisory.UpdatedAt = advisory.UpdatedAt;
+            nextAdvisory.WithdrawnAt = advisory.WithdrawnAt;
             return nextAdvisory;
         }
 

tests/GitHubVulnerabilities2Db.Facts/AdvisoryIngestorFacts.cs

@@ -52,6 +52,7 @@ public async Task IngestsAdvisoryWithoutVulnerability(bool withdrawn)
                         Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
                         Assert.Equal(PackageVulnerabilitySeverity.Moderate, vulnerability.Severity);
                         Assert.Equal(advisory.Permalink, vulnerability.AdvisoryUrl);
+                        Assert.Equal(withdrawn, advisory.WithdrawnAt != null);
                     })
                     .Returns(Task.CompletedTask)
                     .Verifiable();