Support for DependabotAlert APIs

[coopernetes]

Fixes #2872

Related #2347 (Dependabot alerts are generated from the underlying dependency graph)

This PR includes the following to bring in all the supported operations for the Dependabot alert APIs:

• Add new types for DependabotAlert & related classes for advisory & vulnerability information. DependabotAlert is a subclass of AdvisoryBase. Reused existing types for CVSS & CWE since they are shared attributes.
• Add get_dependabot_alert for Repository
• Add get_dependabot_alerts for Repository using PaginatedList
• Add update_dependabot_alert for Repository
• Add get_dependabot_alerts for Organization using PaginatedList
• Add get_dependabot_alerts for Enterprise using PaginatedList GitHub's endpoint doesn't work from my limited testing
• Decoupled AdvisoryVulnerability from AdvisoryBase and moved that specific attribute into RepositoryAdvisory & GlobalAdvisory. Most of the vulnerability information is similar between advisories and Dependabot alerts but there were a few differences in the JSON and I decided to split them up from the base class.
• Test coverage (TYPE_CHECKING imports seem to be missed but not sure how those would get coverage)
• Ensure documentation is complete for new types (verified new functions on Repository & Organization have the correct docstrings)
• Generate appropriate copyright notices on new or changed files

Details on my refactoring amongst the other security-related modules/classes:

After reviewing the existing types for AdvisoryBase, GlobalAdvisory, RepositoryAdvisory and AdvisoryVulnerability, it's clear that the Dependabot alert API looks very similar to those other endpoints with some annoyingly minor differences. For example:

• dependency.package for a Dependabot alert is identical to AdvisoryVulnerabilityPackage but has additional fields (manifest_path and scope) so I couldn't reuse the entirety of AdvisoryVulnerability. There's likely a place for a Union type but I didn't have a good sense on the best way to write that.
• vulnerabilities list for a Dependabot alert is slightly different than the Repository/GlobalAdvisory vulnerabilities (the former includes severity and first_patched_version object, the latter uses patched_versions & contains vulnerable_functions)
• references are their own list of dicts for Dependabot alerts (with a single field called "url" 🤦) but are just a list of strings for GlobalAdvisory

Instead of monkeying around with too much of the existing modules to try & find all the common attributes and create new base modules, I kept most of the Dependabot specific API types as separate modules & classes. I was able to reuse AdvisoryVulnerabilityPackage.

[codecov-commenter]

Codecov Report

Attention: 9 lines in your changes are missing coverage. Please review.

Comparison is base (d0caa3c) 96.70% compared to head (fe726ea) 96.69%.

❗ Current head fe726ea differs from pull request most recent head aab2b21. Consider uploading reports for the commit aab2b21 to get more accurate results

Files	Patch %	Lines
github/DependabotAlert.py	96.11%	4 Missing ⚠️
github/DependabotAlertAdvisory.py	95.83%	1 Missing ⚠️
github/DependabotAlertVulnerability.py	96.96%	1 Missing ⚠️
github/Organization.py	94.11%	1 Missing ⚠️
github/Repository.py	96.77%	1 Missing ⚠️
github/RepositoryAdvisory.py	87.50%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2879      +/-   ##
==========================================
- Coverage   96.70%   96.69%   -0.01%     
==========================================
  Files         142      147       +5     
  Lines       14610    14848     +238     
==========================================
+ Hits        14129    14358     +229     
- Misses        481      490       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coopernetes]

@EnricoMi thanks for taking a look at the reported enhancement request. When you get a chance, can you give a quick 👀 on the few changed files in this PR? I've added the list of tasks I will chip away at as part of adding this support but wanted to ensure I was using the correct patterns.

I also reviewed the Contributing guide which helped immensely to get the first test case recorded and written 👍

In the meantime, I'll adapt the new class using CodeScanAlert as a guide since that module seems to closely match what the Dependabot alert API does. Thanks!

[EnricoMi]

I'd simplify this pattern to

Suggested change

	if is_defined(state):
	assert isinstance(state, str), state
	assert state in allowed_states, f"State can be one of {', '.join(allowed_states)}"
	assert state in allowed_states + [NotSet], f"State can be one of {', '.join(allowed_states)}"

[EnricoMi]

I'd replace the

        if is_defined(state):
            url_parameters["state"] = state
...

pattern with

        url_parameters = NotSet.remove_unset_items(
            {
                "state": state,
                "severity": severity,
                "ecosystem": ecosystem,
                "package": package,
                "scope": scope,
                "sort": sort,
                "direction": direction,
            }
        )

[coopernetes]

Thanks, applied the same for Repository.get_dependabot_alerts.

[EnricoMi]

LGTM!

[EnricoMi]

Thanks for this high-quality PR! This is ready to go, right?

[coopernetes]

Yep, good to go! Thanks @EnricoMi

[EnricoMi]

Your PR was really great, I could use some help reviewing PRs in PyGithub.

Is there a chance that from time to time you could have a look at open PRs and guide less experienced authors towards an approvable state?

[coopernetes]

@EnricoMi Apologies for the late reply! Absolutely, I am available to help with triage & reviewing PRs to support the library. Feel free to assign me PRs or issues and don't hesitate to send me an email if you need to discuss anything else.