Support github releases / packages / advisories

[edulix]

This might sound like an obvious question and maybe I'm wrong and this is supported or I didn't read the documentation correctly.

But I think it would be great if the Advisory Database integrated with Github Releases, Github Packages and Github Advisories for Github Projects.

# Use case

This could work well with dependabot and the new Dependency submission API. For example, I'm using Nix. Nix as a package manage does not typically use a centralized registry and rather uses "channels" that contain packages.

However, nix packages many times fetch the sources from github. With the dependency submission API, a given nix dependency could be reported to be from github (or other supported ecosystem such as npm) and dependabot now would be able to report security vulnerability for nix dependencies.

[KateCatlin]

Hey @edulix thank you for reaching out! This is a really cool idea and speaks to a future we'd like to someday get to. I'm going to keep the issue open for others to comment and upvote.

[rjaegers]

I second this; recently I helped implement a dependency scanner that takes CMake files as input and submits dependencies to the Dependency Submission API (https://github.com/philips-forks/cmake-dependency-submission). I would have liked a more-native "feel" for package type "github". Now, when generating an SBOM for example, the package type is translated to "unknown". So no Dependabot support, no security advisories. That was a bit disappointing.

I think great value can be had by supporting the "github" purl type.