Include security metrics for repos that are later archived

It's fine to exclude all archived repos when looking at the current
state, but the data might be useful for looking at historical trends.

metrics/github/security.py

@@ -32,12 +32,10 @@ def vulnerabilities(client, org, to_date):
     metrics = []
 
     for repo in query.repos(client, org):
-        if repo.archived_on:
-            continue
-
         vulns = list(map(Vulnerability.from_dict, query.vulnerabilities(client, repo)))
 
-        for day in dates.iter_days(repo.created_on, to_date):
+        end = min(to_date, repo.archived_on) if repo.archived_on else to_date
+        for day in dates.iter_days(repo.created_on, end):
             closed_vulns = sum(1 for v in vulns if v.is_closed_on(day))
             open_vulns = sum(1 for v in vulns if v.is_open_on(day))
 

tests/metrics/github/test_security.py

@@ -46,26 +46,28 @@ def test_vulnerability_closed_on_is_closed():
     assert v.is_closed_on(date(2023, 10, 29))
 
 
-def test_vulnerabilities_ignores_archived_repos(monkeypatch):
+def test_vulnerabilities_ignores_archived_repos_after_archive_date(monkeypatch):
+    archive_date = date(2022, 1, 3)
+
     def fake_repos(client, org):
         return [
             Repo(
                 "anything",
                 "anything",
                 created_on=date(2022, 1, 1),
-                archived_on=date(2022, 1, 31),
+                archived_on=archive_date,
             )
         ]
 
     monkeypatch.setattr(security.query, "repos", fake_repos)
 
     def fake_vulnerabilities(client, repo):
-        return [dict(createdAt="2022-02-10T00:00:00Z", fixedAt=None, dismissedAt=None)]
+        return []
 
     monkeypatch.setattr(security.query, "vulnerabilities", fake_vulnerabilities)
 
-    result = security.vulnerabilities({}, "org", date.today())
-    assert len(result) == 0
+    result = security.vulnerabilities({}, "org", date(2022, 1, 10))
+    assert result[-1]["time"] == archive_date
 
 
 def test_vulnerabilities(monkeypatch):