Add support for new RepositoryAdvisories API 🎉

[JLLeitschuh]

Related:

• https://github.blog/changelog/2023-03-30-repository-security-advisories-rest-api/
• https://docs.github.com/en/rest/security-advisories/repository-advisories

Signed-off-by: Jonathan Leitschuh Jonathan.Leitschuh@gmail.com

[codecov-commenter]

Codecov Report

Patch coverage: 95.11% and project coverage change: -0.13 ⚠️

Comparison is base (84912a6) 98.57% compared to head (1168ac3) 98.45%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2483      +/-   ##
==========================================
- Coverage   98.57%   98.45%   -0.13%     
==========================================
  Files         118      124       +6     
  Lines       11981    12407     +426     
==========================================
+ Hits        11810    12215     +405     
- Misses        171      192      +21     

Impacted Files	Coverage Δ
github/Repository.py	97.10% <93.02%> (-0.11%)	⬇️
github/RepositoryAdvisoryCredit.py	93.61% <93.61%> (ø)
github/RepositoryAdvisory.py	93.83% <93.83%> (ø)
github/RepositoryAdvisoryCreditDetailed.py	95.65% <95.65%> (ø)
github/RepositoryAdvisoryVulnerability.py	98.57% <98.57%> (ø)
github/CWE.py	100.00% <100.00%> (ø)
github/GithubObject.py	98.84% <100.00%> (+0.02%)	⬆️
github/RepositoryAdvisoryVulnerabilityPackage.py	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[JLLeitschuh]

According to the GitHub team I'm chatting with, this should not be optional. At least one must be supplied.

That GitHub's API currently supports passing an empty list, is a bug.

[JLLeitschuh]

Turns out this isn't a bug. It's implemented as-designed

[JLLeitschuh]

CI passes. Linting passses. AFAIK, everything has solid unit test coverage.

Seeking code reviews!

[rthorpeii]

The structure of the API objects and calls looks good to me!

[EnricoMi]

LGTM, minor comments

[EnricoMi]

since this is on Repository, this could read:

Suggested change

	def create_repository_advisory(
	def create_advisory(

Or are there other methods that imply this naming convention?

[EnricoMi]

I think this should read:

Suggested change

	def report_security_vulnerability(
	def report_security_advisory(

or

Suggested change

	def report_security_vulnerability(
	def create_security_advisory(

[JLLeitschuh]

This API is used by reporters, not by maintainers, to report vulnerabilities.

I was trying to figure out a way to differentiate the create which is something only a repository admin can take, from the report which is an action any GitHub user can take.

[EnricoMi]

right, the link to the docs confused me, I think it is linking to creating an advisory, where it should link to creating a vulnerability

[EnricoMi]

Here, repository could also be removed, but on the other hand, it returns a `RepositoryAdvisory.

[JLLeitschuh]

So does the one above. Which naming convention would you like to see used here?

[JLLeitschuh]

Unless you have a strong preference, I think we should opt to use the naming convention in the GitHub API docs here.

[EnricoMi]

agreed, keep it

[EnricoMi]

I think the link should point to

https://docs.github.com/en/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability

[JLLeitschuh]

Done!

[EnricoMi]

right, the link to the docs confused me, I think it is linking to creating an advisory, where it should link to creating a vulnerability

[EnricoMi]

@JLLeitschuh happy to approve, please rebase and correct the doc links

[JLLeitschuh]

Will do, just been bogged down in other work

[EnricoMi]

LGTM!