Simplify and improve --help usage message

Issue #49

README.md

@@ -58,52 +58,39 @@ For more information about how v2.0.0 differs from v1.0.10, see the
 CVEScan provides a number of options. See `cvescan -h` for more details.
 
 ```
-$> cvescan -h
+usage: cvescan [-h] [--version] [-v] [-p {critical,high,medium,all}]
+               [--db UBUNTU_DB_FILE] [-m MANIFEST_FILE] [--csv] [--json]
+               [--syslog HOST:PORT] [--syslog-light HOST:PORT] [--show-links]
+               [--unresolved] [-x] [-n] [-c CVE-IDENTIFIER] [-s]
 
-usage: cvescan [-h] [-c CVE-IDENTIFIER] [-p {critical,high,medium,all}] [-s]
-               [-u UCT_FILE] [-m MANIFEST_FILE] [-n] [--show-links]
-               [--unresolved] [-v] [-x]
-
-Scan an Ubuntu system for known vulnerabilities.
+Scan an Ubuntu system for known vulnerabilities
 
 optional arguments:
   -h, --help            show this help message and exit
+  --version             Show CVEScan's version number and exit
+  -v, --verbose         enable verbose messages
   -p {critical,high,medium,all}, --priority {critical,high,medium,all}
-                        'critical' = show only critical CVEs.
-                        'high'     = show critical and high CVEs (default)
-                        'medium'   = show critical and high and medium CVEs
-                        'all'      = show all CVES (no filtering based on priority)
-  -s, --silent          Enable script/Silent mode: To be used with '-c <cve-identifier>'.
-                        Do not print text output; exit 0 if not vulnerable, exit 1 if vulnerable.
-  --db UBUNTU_DB_FILE   Specify an Ubuntu vulnerability datbase file to use instead of downloading the
-                        latest from people.canonical.com.
+                        filter output by CVE priority
+  --db UBUNTU_DB_FILE   Specify an Ubuntu vulnerability datbase file to use instead
+                        of downloading the latest from people.canonical.com.
   -m MANIFEST_FILE, --manifest MANIFEST_FILE
-                        Enable manifest mode. Do not scan the localhost. Instead, run a scan against the
-                        specified package manifest file.
-                        Note: Package manifest files can be generated by running
-                              `dpkg-query -W > manifest.txt` on the host you wish to scan.
-  --csv                 Format output as CSV.
+                        scan a package manifest file instead of the local system
+  --csv                 format output as CSV
+  --json                format output as JSON
+  --syslog HOST:PORT    send JSON formatted output to a syslog server specified by
+                        <host>:<port>
+  --syslog-light HOST:PORT
+                        send a simple log message to a syslog server specified by
+                        <host>:<port>
+  --show-links          include links to the Ubuntu CVE Tracker in the output
+  --unresolved          include CVEs that have not yet been resolved in the output
+  -x, --experimental    for users of Ubuntu Advantage, include eXperimental (also
+                        called "alpha") in the output
+  -n, --nagios          format output for use with Nagios NRPE
   -c CVE-IDENTIFIER, --cve CVE-IDENTIFIER
-                        Report if this system is vulnerable to a specific CVE.
-  --json                Format output as JSON.
-  -n, --nagios          Enable Nagios mode for use with NRPE.
-                        Typical nagios-style "OK|WARNING|CRITICAL|UNKNOWN" messages
-                         and exit codes of 0, 1, 2, or 3.
-                        0/OK = not vulnerable to any known and patchable CVEs of the
-                         specified priority or higher.
-                        1/WARNING = vulnerable to at least one known CVE of the specified
-                         priority or higher for which there is no available update.
-                        2/CRITICAL = vulnerable to at least one known and patchable CVE of
-                         the specified priority or higher.
-                        3/UNKNOWN = something went wrong with the script, or oscap.
-  --show-links          Provide links to the Ubuntu CVE Tracker for each CVE.
-  --unresolved          Show CVEs that have not yet been resolved.
-  -v, --verbose         Enable verbose messages.
-  --version             Show CVEScan's version number and exit
-  -x, --experimental    Enable eXperimental mode. Use experimental (also called "alpha") data
-                        from the Ubuntu CVE tracker. The alpha UCT files include information about
-                        package updates available for users of Ubuntu Advantage running systems
-                        with ESM Apps and ESM Infra enabled.
+                        report whether or not this system is vulnerable to a
+                        specific CVE.
+  -s, --silent          do not print any output (only used with --cve)
 ```
 
 ### Return Codes

cvescan/__main__.py

@@ -67,8 +67,15 @@ def error_exit(msg, code=const.ERROR_RETURN_CODE):
 
 
 def parse_args():
-    cvescan_ap = ap.ArgumentParser(
-        description=const.CVESCAN_DESCRIPTION, formatter_class=ap.RawTextHelpFormatter
+    cvescan_ap = ap.ArgumentParser(description=const.CVESCAN_DESCRIPTION)
+    cvescan_ap.add_argument(
+        "--version",
+        action="version",
+        version="CVEScan, v" + get_version(),
+        help=const.VERSION_HELP,
+    )
+    cvescan_ap.add_argument(
+        "-v", "--verbose", action="store_true", default=False, help=const.VERBOSE_HELP
     )
     cvescan_ap.add_argument(
         "-p",
@@ -77,21 +84,12 @@ def parse_args():
         choices=[const.CRITICAL, const.HIGH, const.MEDIUM, const.ALL],
         default=None,
     )
-    cvescan_ap.add_argument(
-        "-s", "--silent", action="store_true", default=False, help=const.SILENT_HELP
-    )
     cvescan_ap.add_argument("--db", metavar="UBUNTU_DB_FILE", help=const.DB_FILE_HELP)
     cvescan_ap.add_argument(
         "-m", "--manifest", metavar="MANIFEST_FILE", help=const.MANIFEST_HELP
     )
     cvescan_ap.add_argument("--csv", action="store_true", help=const.CSV_HELP)
-    cvescan_ap.add_argument(
-        "-c", "--cve", metavar="CVE-IDENTIFIER", help=const.CVE_HELP
-    )
     cvescan_ap.add_argument("--json", action="store_true", help=const.JSON_HELP)
-    cvescan_ap.add_argument(
-        "-n", "--nagios", action="store_true", default=False, help=const.NAGIOS_HELP
-    )
     cvescan_ap.add_argument("--syslog", metavar="HOST:PORT", help=const.SYSLOG_HELP)
     cvescan_ap.add_argument(
         "--syslog-light", metavar="HOST:PORT", help=const.SYSLOG_LIGHT_HELP
@@ -102,22 +100,22 @@ def parse_args():
     cvescan_ap.add_argument(
         "--unresolved", action="store_true", default=False, help=const.UNRESOLVED_HELP
     )
-    cvescan_ap.add_argument(
-        "-v", "--verbose", action="store_true", default=False, help=const.VERBOSE_HELP
-    )
-    cvescan_ap.add_argument(
-        "--version",
-        action="version",
-        version="CVEScan, v" + get_version(),
-        help=const.VERSION_HELP,
-    )
     cvescan_ap.add_argument(
         "-x",
         "--experimental",
         action="store_true",
         default=False,
         help=const.EXPERIMENTAL_HELP,
     )
+    cvescan_ap.add_argument(
+        "-n", "--nagios", action="store_true", default=False, help=const.NAGIOS_HELP
+    )
+    cvescan_ap.add_argument(
+        "-c", "--cve", metavar="CVE-IDENTIFIER", help=const.CVE_HELP
+    )
+    cvescan_ap.add_argument(
+        "-s", "--silent", action="store_true", default=False, help=const.SILENT_HELP
+    )
 
     return cvescan_ap.parse_args()
 

cvescan/constants.py

@@ -1,74 +1,45 @@
-CVESCAN_DESCRIPTION = "Scan an Ubuntu system for known vulnerabilities."
+CVESCAN_DESCRIPTION = "Scan an Ubuntu system for known vulnerabilities"
 
-CVE_HELP = "Report if this system is vulnerable to a specific CVE."
+VERSION_HELP = "Show CVEScan's version number and exit"
 
-PRIORITY_HELP = (
-    "'critical' = show only critical CVEs.\n'high'     = show "
-    "critical and high CVEs (default)\n'medium'   = show critical and "
-    "high and medium CVEs\n'all'      = show all CVES (no filtering "
-    "based on priority)"
-)
+VERBOSE_HELP = "enable verbose messages"
 
-SILENT_HELP = (
-    "Enable script/Silent mode: To be used with "
-    "'-c <cve-identifier>'.\nDo not print text output; exit 0 if not "
-    "vulnerable, exit 1 if vulnerable."
-)
 
-MANIFEST_HELP = (
-    "Enable manifest mode. Do not scan the localhost. Instead, run a scan against the\n"
-    "specified package manifest file.\n"
-    "Note: Package manifest files can be generated by running \n"
-    "      `dpkg-query -W > manifest.txt` on the host you wish to scan."
-)
-
-FILE_HELP = (
-    "Used with '-m' option to override the default behavior. Specify\n "
-    "a manifest file to scan instead of downloading an OCI manifest.\n "
-    "The file needs to be readable under snap confinement.\n User's home "
-    "will likely work, /tmp will likely not work."
-)
+PRIORITY_HELP = "filter output by CVE priority"
 
 DB_FILE_HELP = (
-    "Specify an Ubuntu vulnerability datbase file to use instead of downloading the \n"
-    "latest from people.canonical.com."
+    "Specify an Ubuntu vulnerability datbase file to use instead of downloading the"
+    "  latest from people.canonical.com."
 )
 
-NAGIOS_HELP = (
-    "Enable Nagios mode for use with NRPE.\nTypical nagios-style "
-    '"OK|WARNING|CRITICAL|UNKNOWN" messages\n and exit codes of 0, 1, '
-    "2, or 3.\n0/OK = not vulnerable to any known and patchable CVEs of "
-    "the\n specified priority or higher.\n1/WARNING = vulnerable to at "
-    "least one known CVE of the specified\n priority or higher for which "
-    "there is no available update.\n2/CRITICAL = vulnerable to at least "
-    "one known and patchable CVE of\n the specified priority or higher.\n"
-    "3/UNKNOWN = something went wrong with the script, or oscap."
-)
+MANIFEST_HELP = "scan a package manifest file instead of the local system"
 
-SYSLOG_HELP = "Send JSON formatted output to a syslog server specified by HOST:PORT."
-SYSLOG_LIGHT_HELP = (
-    "Send a short log message stating how many vulnerabilities are fixable to a \n"
-    "syslog server specified by HOST:PORT."
-)
+CSV_HELP = "format output as CSV"
+
+JSON_HELP = "format output as JSON"
 
-UCT_LINKS_HELP = "Provide links to the Ubuntu CVE Tracker for each CVE."
 
-UNRESOLVED_HELP = "Show CVEs that have not yet been resolved."
+SYSLOG_HELP = "send JSON formatted output to a syslog server specified by <host>:<port>"
 
-VERBOSE_HELP = "Enable verbose messages."
+SYSLOG_LIGHT_HELP = (
+    "send a simple log message to a syslog server specified by <host>:<port>"
+)
 
-VERSION_HELP = "Show CVEScan's version number and exit."
+UCT_LINKS_HELP = "include links to the Ubuntu CVE Tracker in the output"
+
+UNRESOLVED_HELP = "include CVEs that have not yet been resolved in the output"
 
 EXPERIMENTAL_HELP = (
-    'Enable eXperimental mode. Use experimental (also called "alpha") data \n'
-    "from the Ubuntu CVE tracker. The alpha UCT files include information about\n"
-    "package updates available for users of Ubuntu Advantage running systems \n"
-    "with ESM Apps and ESM Infra enabled."
+    'for users of Ubuntu Advantage, include eXperimental (also called "alpha")'
+    "  in the output"
 )
 
-JSON_HELP = "Format output as JSON."
+NAGIOS_HELP = "format output for use with  Nagios NRPE"
+
+CVE_HELP = "report whether or not this system is vulnerable to a specific CVE."
+
+SILENT_HELP = "do not print any output (only used with --cve)"
 
-CSV_HELP = "Format output as CSV."
 
 DEBUG_LOG = "debug.log"
 LSB_RELEASE_FILE = "/etc/lsb-release"