Support github releases / packages / advisories

[edulix]

This might sound like an obvious question and maybe I'm wrong and this is supported or I didn't read the documentation correctly.

But I think it would be great if the Advisory Database integrated with Github Releases, Github Packages and Github Advisories for Github Projects.

 Use case

This could work well with dependabot and the new Dependency submission API. For example, I'm using Nix. Nix as a package manage does not typically use a centralized registry and rather uses "channels" that contain packages.

However, nix packages many times fetch the sources from github. With the dependency submission API, a given nix dependency could be reported to be from github (or other supported ecosystem such as npm) and dependabot now would be able to report security vulnerability for nix dependencies.

[KateCatlin]

Hey @edulix thank you for reaching out! This is a really cool idea and speaks to a future we'd like to someday get to. I'm going to keep the issue open for others to comment and upvote.

[rjaegers]

I second this; recently I helped implement a dependency scanner that takes CMake files as input and submits dependencies to the Dependency Submission API (https://github.com/philips-forks/cmake-dependency-submission). I would have liked a more-native "feel" for package type "github". Now, when generating an SBOM for example, the package type is translated to "unknown". So no Dependabot support, no security advisories. That was a bit disappointing.

I think great value can be had by supporting the "github" purl type.