Support GitHub repository security advisories

[antoinbo]

Current Behavior

GitHub Advisories can be mirrored from the global list. https://docs.github.com/en/rest/security-advisories/global-advisories?apiVersion=2022-11-28

However, repository security advisories are not aggregated in the global list. Instead, they have their own endpoints. https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28

Therefore, GHSA-p7w6-62rq-vrf9 is not referenced in the global list, but in the repository one of eclipse-threadx/threadx. https://github.com/advisories/GHSA-p7w6-62rq-vrf9 (not found) https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-p7w6-62rq-vrf9 (found)

Proposed Behavior

GithubMetaAnalyzer, GitHubAdvisoryMirrorTask or a dedicated module, can mirror the repository advisories.

Checklist

• [x] I have read and understand the contributing guidelines
• [x] I have checked the existing issues for whether this enhancement was already requested

[antoinbo]

I also started a GitHub Community discussion as it will be effort less to find all advisories in the global list :)

[nscuro]

Thanks for raising this, I wasn't aware of this distinction. And it seems very odd to have such a separation. I subscribed to the discussion you opened, let's see what GitHub has to say.

[antoinbo]

I found the repository github/advisory-database. Therefore, I understand ThreadX is not part of supported ecosystems, as Dependency-Track ;)