Added Input Engine with triage functionality

[Niraj-Kamdar]

New features:

• Created input_engine that can handle various input files with triage data
• Currently, input engine supports csv and json file.
• To get cves from input file - Usage: cve-bin-tool -i=test.csv
• Input engine can also be used to supplement triage data - Usage: cve-bin-tool -i=test.csv /path/to/scan
• User can now add remarks field in csv or json which can have any value from following values ( Here, values in parenthesis are aliases for that specific type. )
  1. NewFound (1, n, N)
  2. Unexplored (2, u, U)
  3. Confirmed (3, c, C)
  4. Mitigated, (4, m, M)
  5. Ignored (5, i, I)
• Output will be also represented in above order.
• tests for input engine added under test_input_engine.
• removed test for old csv2cve

[codecov-commenter]

Codecov Report

Merging #777 into master will decrease coverage by 0.93%.
The diff coverage is 81.55%.

@@            Coverage Diff             @@
##           master     #777      +/-   ##
==========================================
- Coverage   88.32%   87.38%   -0.94%     
==========================================
  Files         139      140       +1     
  Lines        2483     2474       -9     
  Branches      301      297       -4     
==========================================
- Hits         2193     2162      -31     
- Misses        226      243      +17     
- Partials       64       69       +5     

Flag	Coverage Δ
#longtests	87.38% <81.55%> (-0.94%)	⬇️

Impacted Files	Coverage Δ
cve_bin_tool/csv2cve.py	0.00% <0.00%> (-63.37%)	⬇️
cve_bin_tool/cvedb.py	87.60% <ø> (+2.12%)	⬆️
cve_bin_tool/version_signature.py	76.59% <ø> (ø)
test/test_data/ffmpeg.py	100.00% <ø> (ø)
test/test_data/kerberos.py	100.00% <ø> (ø)
test/test_data/lighttpd.py	100.00% <ø> (ø)
cve_bin_tool/util.py	70.58% <33.33%> (-13.42%)	⬇️
cve_bin_tool/cli.py	82.90% <71.11%> (-3.27%)	⬇️
test/test_scanner.py	90.00% <79.16%> (-6.39%)	⬇️
test/test_output_engine.py	97.61% <90.00%> (-1.22%)	⬇️
... and 13 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ce183b0...de68871. Read the comment docs.

[Niraj-Kamdar]

Custom error codes

[Niraj-Kamdar]

custom except hook to also throw exit code while exception raise

[terriko]

This is really lovely, thanks. One of our users (I think someone running this on a Yocto based system?) was saying that they use the return codes to colourize their CI dashboard, so this may be very helpful to others as well.

[Niraj-Kamdar]

New option to specify input file

[SinghHrmn]

shouldn't it be the actual path to the file? I guess it should be file-path

[Niraj-Kamdar]

just a better name because files_with_cves won't make much sense while using it as csv2cve

[terriko]

Good thinking, though I wonder if products will be confusing for people scanning directories, as they may think of a "product" as a .deb or somesuch and we have a different definition. it's tempting to just say "things" instead of files or products, but I guess that doesn't sound quite as formal.

[Niraj-Kamdar]

dummy csv2cve file

[Niraj-Kamdar]

custom exceptions to raise exceptions

[Niraj-Kamdar]

custom enum class that can handle multiple aliases easily and can also be sorted.

[Niraj-Kamdar]

This is to provide comparison methods that allows sorting of list of Remarks.

[Niraj-Kamdar]

Fixes problem with Windows CI

[SinghHrmn]

YAY! Thanks for this

[Niraj-Kamdar]

Changed because of https://bugs.python.org/issue35621.

[terriko]

I've got a bunch of nitpicky comments about error codes and better PR splits, but given that @SinghHrmn I think is waitnig for this PR to be merged, I'm going to merge and file issues for my feedback rather than request changes.

@Niraj-Kamdar one big thing though is that you really need to get into the habit of grouping the changes in PRs by function, so the checker changes here should have been in a separate branch and a separate PR. Much of the minor refactoring stuff should also have been split out. We've let you get into bad habits because we had so much refactoring that needed doing that I was expecting to see giant PRs, and that's on me and @pdxjohnny as mentors, but it's something I think is worth working on going forwards.

Here's a couple of helpful articles on how to split up PRs that I think you might find helpful: https://unhashable.com/stacked-pull-requests-keeping-github-diffs-small/ https://www.thedroidsonroids.com/blog/splitting-pull-request

[terriko]

Should we be altering the checker default so it scans for VERSION_PATTERNS as well as CONTAINS_PATTERNS by default? It seems silly to duplicate lines in each checker if we probably actually want version patterns to also be a valid detection string.

[Niraj-Kamdar]

Yes that can be helpful.

[terriko]

This is really lovely, thanks. One of our users (I think someone running this on a Yocto based system?) was saying that they use the return codes to colourize their CI dashboard, so this may be very helpful to others as well.

[terriko]

I kind of prefer the clarity of the is None check in some cases (because we get so many new pythonistas looking at this project) but this isn't a thing I expect a lot of new contributors to look at so I think streamlining this is the right choice.

[terriko]

Changing the default is fine, but don't change the help message here: that's to clarify for users because the default messages from argparser didn't make the behaviour clear.

Suggested change

	help="provide output filename",
	help="provide output filename (default: output to stdout)",

[Niraj-Kamdar]

I will add that.

[terriko]

I've been wondering about this: should we change the default to auto-extract? I've opened an issue to discuss, since that's out of scope for this PR. #786

[terriko]

Good thinking, though I wonder if products will be confusing for people scanning directories, as they may think of a "product" as a .deb or somesuch and we have a different definition. it's tempting to just say "things" instead of files or products, but I guess that doesn't sound quite as formal.

[terriko]

If we're importing cli, we might as well use the same error code list here.

[Niraj-Kamdar]

I will change that

[terriko]

Another error code spot.

[terriko]

yay type hints!

[terriko]

In future, can you put unrelated changes to checkers in a separate PR? They could all be grouped together, but they shouldn't be grouped with the InputEngine changes. It's considered bad form by most open source projects to group them the way you have.

[Niraj-Kamdar]

I have put it here because I have to make VersionScanner generator to use InputEngine parsed data as supplement and it was breaking the test_scanner because I have also included test for contains string previously but I have forget to clean up scanner and test was only passing due to previous scan has detected it. So, that's why when I converted that in generator this bug come to surface. I should have divide this PR in two parts: 1) Making version_scanner generator and 2) building input_engine. Thanks, for the feedback. I will try to keep PR size smaller.