Add script to find versions of packages

.github/workflows/pythonapp.yml

@@ -239,7 +239,7 @@ jobs:
           test/test_cli.py
 
   cve_scan:
-    name: CVE Scan of requirements.csv
+    name: CVE Scan of requirements
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
@@ -264,6 +264,9 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
+      - name: Create cache requirements.csv with versions
+        run: |
+          python requirements_csv.py
       - name: Run CVE Binary tool against requirements.csv
         run: |
-          python -m cve_bin_tool.cli requirements.csv 
+          python -m cve_bin_tool.cli --input-file ~/.cache/cve-bin-tool/requirements.csv 

requirements.csv

@@ -1,5 +1,5 @@
-vendor,product,version
-plot,plotly,4.14.3
-pocoo,jinja2,2.11.3
-aiohttp_project,aiohttp,3.7.4.post0
-pyyaml,pyyaml,5.4.1
+vendor,product
+plot,plotly
+pocoo,jinja2
+aiohttp_project,aiohttp
+pyyaml,pyyaml

requirements_csv.py

@@ -0,0 +1,31 @@
+# Copyright (C) 2021 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Script to add versions to requirements.csv
+
+import csv
+import os
+import pkg_resources
+
+REQ_CSV = os.path.abspath(os.path.join(os.path.dirname(__file__), "requirements.csv"))
+CACHE_CSV = os.path.join(os.path.expanduser("~"), ".cache", "cve-bin-tool", "requirements.csv")
+
+def get_cache_csv_data(file):
+    data = []
+    with open(file, "r") as f:
+        r = csv.reader(f)
+        next(r)
+        for row in r:
+            data.append((row[0], row[1], pkg_resources.get_distribution(row[1]).version))
+        return data
+
+cache_csv_data = get_cache_csv_data(REQ_CSV)
+
+# writes a cache CSV file
+with open(CACHE_CSV, "w") as f:
+    writer = csv.writer(f)
+    fieldnames = ["vendor", "product", "version"]
+    writer = csv.DictWriter(f, fieldnames=fieldnames)
+    writer.writeheader()
+    for row in cache_csv_data:
+        writer.writerow({"vendor": row[0], "product": row[1], "version": row[2]})