Added csv output to export dependencies (#2178)

* added csv output to export dependencies

Author: yunchu

.ci/csv.tmpl

@@ -0,0 +1,10 @@
+{{ range . }}
+Trivy Vulnerability Scan Results ({{ .Target }})
+VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information
+{{ range .Vulnerabilities }}{{ .VulnerabilityID }},{{ .Severity }},{{ range $key, $value := .CVSS }}{{ if (eq $key "nvd") }}{{ .V3Score }}{{ end }}{{ end }},"{{ .Title }}","{{ .PkgName }}","{{ .InstalledVersion }}","{{ .FixedVersion }}",{{ .PrimaryURL }}
+{{ end }}
+Trivy Dependency Scan Results ({{ .Target }})
+ID,Name,Version,Notes
+{{ range .Packages }}{{ .ID }},{{ .Name }},{{ .Version }}
+{{ end }}
+{{ end }}

.github/workflows/code_scan.yml

@@ -27,8 +27,9 @@ jobs:
         with:
           name: trivy-results
           path: |
-            .tox/trivy-scan-results.txt
             .tox/trivy-spdx-otx.json
+            .tox/trivy-results-otx.txt
+            .tox/trivy-results-otx.csv
   Bandit:
     runs-on: ubuntu-20.04
     steps:

tox.ini

@@ -120,8 +120,9 @@ commands =
     bash -c "pip freeze > requirements.txt"
     curl -L0 {env:TRIVY_DOWNLOAD_URL} -o {toxworkdir}/trivy.tar.gz
     tar -xzf {toxworkdir}/trivy.tar.gz -C {toxworkdir}
-    {toxworkdir}/trivy fs -c .ci/trivy.yaml --list-all-pkgs -o {toxworkdir}/trivy-scan-results.txt ./requirements.txt
-    {toxworkdir}/trivy fs -c .ci/trivy.yaml --format spdx-json -o {toxworkdir}/trivy-spdx-otx.json ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml -o {toxworkdir}/trivy-results-otx.txt ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml --list-all-pkgs --format template --template "@.ci/csv.tmpl" -o {toxworkdir}/trivy-results-otx.csv ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml --format spdx-json -o {toxworkdir}/trivy-spdx-otx.json ./requirements.txt
     rm {toxworkdir}/trivy.tar.gz
     rm {toxworkdir}/trivy
     rm requirements.txt