Fixes to --security-advisories option

[lukasbestle]

Explanation

If I read the GitHub docs correctly:

Privately discuss and fix security vulnerabilities in your public repository's code.

I am pretty sure that private repos can never have security advisories. This seems to match with my tests. It looks like I originally didn't test the argument with a private repo at all because I thought there was no point as I didn't have one with security advisories. Now I know why 🙄, sorry for that regression.

Summary of changes

• 404 errors during retrieval of security advisories are handled gracefully and logged. This fixes Include repository security advisories #243 (comment). Thanks @Iamrodos for the suggestion.
• If this exception occurs, the security-advisories subdirectory is not created. This avoids empty directories for repos that cannot have security advisories.
• The behavior of --all is modified such that it skips security advisories on private repos by default. If a user still wants to try to back up security advisories, they can (additionally) provide the --security-advisories argument to overrule this default. I think this behavior should be the best of both worlds.

[Iamrodos]

This page has a table that indicates they might be available on a private report if you purchase the option. Having it try private repos if the parameter is added can cater for this.

Do you think any of the readme needs clarification on the changes?

[lukasbestle]

This page has a table that indicates they might be available on a private report if you purchase the option.

I can't find the word advisory on this page. Could you please quote the relevant part?

[Iamrodos]

I sort of figured it was part of "Security overview" sounds like that's not the case.

[lukasbestle]

That's described as:

Security overview: Understand the distribution of risk across your organization.

AFAIK it just combines existing data into a dashboard.

[josegonzalez]

So... is this PR good?

[Iamrodos]

Looks good to me.