CVE scan on cve-bin-tool's requirements and HTML report dependencies

[BreadGenie]

The CSV file is compiled with the vendor and product columns with the packages from requirements.txt and the HTML report dependencies.

closes #1111 and closes #809

[BreadGenie]

Should I move the CSV file to a specific directory or keep it at root?
I have some doubts on zstandard package that whether the package listed in pypi and NVD DB is not the same.
Made PR early to make sure I'm on the right track :D

[codecov-io]

Codecov Report

Merging #1113 (72f1275) into main (4f9fafe) will increase coverage by 0.21%.
The diff coverage is n/a.

❗ Current head 72f1275 differs from pull request most recent head 48f3445. Consider uploading reports for the commit 48f3445 to get more accurate results

@@            Coverage Diff             @@
##             main    #1113      +/-   ##
==========================================
+ Coverage   86.59%   86.80%   +0.21%     
==========================================
  Files         177      183       +6     
  Lines        2998     3031      +33     
  Branches      333      333              
==========================================
+ Hits         2596     2631      +35     
+ Misses        320      319       -1     
+ Partials       82       81       -1     

Flag	Coverage Δ
longtests	86.80% <ø> (+0.21%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
test/utils.py	97.14% <0.00%> (ø)
cve_bin_tool/version.py	70.00% <0.00%> (ø)
cve_bin_tool/checkers/zlib.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/glibc.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/nessus.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/systemd.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/__init__.py	95.55% <0.00%> (ø)
cve_bin_tool/checkers/polarssl_fedora.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/webkitgtk.py	100.00% <0.00%> (ø)
cve_bin_tool/checkers/libsndfile.py	100.00% <0.00%> (ø)
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4f9fafe...48f3445. Read the comment docs.

[BreadGenie]

Made the changes according to the recommendations from the meet!

[BreadGenie]

Switched to importlib from pkg_resources since using pkg_resources is discouraged

Use of pkg_resources is discouraged in favor of importlib.resources, importlib.metadata, and their backports (resources, metadata).

from the pkg_resources docs

We might need to think about switching from pkg_resources to importlib for the whole codebase .

[BreadGenie]

Thought the test would fail on JQuery but before running the scan on html report dependencies cve-bin-tool found a CVE on reportlab. And it seems like all versions of reportlab is affected by the CVE CVE-2020-28463

[Molkree]

Most of these are just nitpicking but if you change setup-python version, word capitalization and pip usage, might as well change it in other jobs unless maintainers decide it is better to separate changes.

[codecov-commenter]

Codecov Report

Merging #1113 (f0cec4f) into main (4f9fafe) will decrease coverage by 6.17%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1113      +/-   ##
==========================================
- Coverage   86.59%   80.41%   -6.18%     
==========================================
  Files         177      196      +19     
  Lines        2998     3354     +356     
  Branches      333      375      +42     
==========================================
+ Hits         2596     2697     +101     
- Misses        320      559     +239     
- Partials       82       98      +16     

Flag	Coverage Δ
longtests	80.41% <0.00%> (-6.18%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
test/test_requirements.py	0.00% <0.00%> (ø)
cve_bin_tool/output_engine/__init__.py	68.47% <0.00%> (-28.14%)	⬇️
cve_bin_tool/checkers/xml2.py	61.36% <0.00%> (-27.28%)	⬇️
test/test_json.py	68.96% <0.00%> (-20.69%)	⬇️
cve_bin_tool/checkers/systemd.py	85.18% <0.00%> (-14.82%)	⬇️
test/test_scanner.py	61.71% <0.00%> (-12.50%)	⬇️
test/test_cli.py	81.28% <0.00%> (-11.83%)	⬇️
cve_bin_tool/cli.py	83.33% <0.00%> (-2.90%)	⬇️
cve_bin_tool/cvedb.py	86.44% <0.00%> (-2.61%)	⬇️
cve_bin_tool/extractor.py	60.15% <0.00%> (-1.57%)	⬇️
... and 90 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4f9fafe...f0cec4f. Read the comment docs.

[BreadGenie]

PR is updated to scan a single cached CSV file and all CVEs are now shown in that run (failed test).

[Molkree]

If I understand caching correctly this (not internal GitHub Actions error) failed because:

1. It was the first CI run of the day in the repo hence no DB cache created.
2. When it ran, your new job was the quickest one so testing jobs didn't have time to create cache.
3. When your job gets to line with open(CACHE_CSV, "w") as f: there is no such file in the cache.

[BreadGenie]

1. It was the first CI run of the day in the repo hence no DB cache created.

Yup, there was no existing cache directory. So I changed the test to create a cache directory if it doesn't exist.

3. When your job gets to line `with open(CACHE_CSV, "w") as f:` there is no such file in the cache.

I thought the same too. But it's actually a problem with the directory not existing, not the file. Since if the file doesn't exist while using open in w mode it will create a new file.