Sync advisories ids from GitHub

[amousset]

Required a few changes in the sync command.

Not sure what to do with the PYSEC ids. The occurrences in this pull request look like actual aliases (i.e. they refer to the same vulnerability in upstream code), but it may not always be the case.

[alex]

Looks like there's a conflict here.

[Shnatsel]

I'd like to get this merged, it has stalled for too long.

I understand the blocker is the uncertainty around PYSEC IDs? Is there a good reason to expect they are different?

I would rather put them in aliases along with all the other IDs, otherwise that data will not make it into the OSV export where PYSEC advisories are also available. And if we are including the identifier, it would be a good idea to link it in a machine-readable way too.

The PYSEC advisories from this PR have GHSA and CVE IDs listed as OSV aliases, e.g. https://osv.dev/vulnerability/PYSEC-2021-321
Would PYSEC advisories without such a link be picked up by the import script?

Another option is to not carry PYSEC IDs at all, and just expect advisories to be the same thing if they have one ID in common, e.g. CVE or GHSA. This will likely be necessary to do regardless.

[amousset]

I'll just remove the PYSEC IDs for now, relying on GHSA/CVE should be enough to avoid duplicates.

[amousset]

Replaced by #1881.