Added csv output option

[k-udupa2000]

Created command line flag -c
Command used for testing

python -m cve_bin_tool.cli -x ./ppp-2.4.7-26.fc29.x86_64.rpm -c

Sample output:
,openssl,openssl,CVE-1999-0428,HIGH
,openssl,openssl,CVE-2000-1254,HIGH
,openssl,openssl,CVE-2006-4339,MEDIUM
,openssl,openssl,CVE-2006-7250,MEDIUM....

[terriko]

I think something got screwed up here -- this has an exif test in it that will fail because there's no exif checker. You may need to rebase off master to get rid of it.

[terriko]

What happens here if there's more than one vendor package pair? (maybe try it against a kerberos test case to find out if you don't know)

[terriko]

I'm fairly sure we're going to want more than one type of output, so let's make this a --output flag or maybe an --output-type flag (so you can use --output for a filename). Or maybe make it figure it out from the extension on a filename, defaulting to the usual console output but giving you .csv if your file ends in .csv. (And eventually, .html, .json, others)

[terriko]

Probably better to let people specify their own filename, and print to console if they don't.

[terriko]

This file was probably checked in by accident and should be removed.

[terriko]

This looks like a test that didn't work out and should also be removed since it's irrelevant to this PR.

[terriko]

You have to open the file in write mode every time, so this doesn't need to be a variable, let alone a global one.

[terriko]

This might be a good time to refactor the output code (that's why this was listed as part of a gsoc project and not something we'd planned to just do a quick fix on) so that you can have a function that goes something like cve_output("csv", cves) or cve_output("console", cves) and not have the mess of output that we have now.

[k-udupa2000]

1. @terriko Thanks for the detailed explanation!
   I have couple of doubts regarding the code:
   a. This code is failing when I run it for test present in test_scanner. This is because the main function in cli.py is not executed and hence the arguments are not declared. Could you guide me through this.
   b. Write mode in the file was erasing the previous contents of the file, hence I used a variable for it.

Lastly, Since this is listed under GSOC project Idea, should this be left for GSOC?

[terriko]

• Yes, our tests for cli.py test the sub-functions, and you'd need to have the tests work differently here than they do for the scanner portions, since you're testing a different thing. If you're breaking the existing tests, though, that's a bad sign.
• Using a variable vs not shouldn't make any difference in the behaviour of write, and I think you actually want to overwrite the file in this case anyhow (because how would you tell when you fixed CVEs in subsequent scans otherwise?)

You don't have to leave this for GSoC, but it's a change that's going to require more than a few days of work and refactoring to be really excellent, so that's why we put it as a GSoC option. It's a big enough change that I'd like the contributor who does it to get paid for the work if we can.

There's a whole debate about the ethics of open source contributions and getting paid, but I won't turn down unpaid labour if you just want to do it. Unpaid contributions is how I got my start and continue to learn new technologies, so I feel like I'd be betraying my teenaged self if I stopped people from trying to do big things. But if you're eligible for GSoC it's totally okay to look at this say "Look, I got this far" and put it in your application to get paid to finish the work. :)

[terriko]

Superceeded by #410