From 5dbc0a69f780e2b46a79bb70b1e72ec2a2138120 Mon Sep 17 00:00:00 2001
From: Yunchu Lee <yunchu.lee@intel.com>
Date: Thu, 25 May 2023 15:05:59 +0900
Subject: [PATCH] Added csv output to export dependencies (#2178)

* added csv output to export dependencies
---
 .ci/csv.tmpl                    | 10 ++++++++++
 .github/workflows/code_scan.yml |  3 ++-
 tox.ini                         |  5 +++--
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100755 .ci/csv.tmpl

diff --git a/.ci/csv.tmpl b/.ci/csv.tmpl
new file mode 100755
index 00000000000..5e9d0acb2d0
--- /dev/null
+++ b/.ci/csv.tmpl
@@ -0,0 +1,10 @@
+{{ range . }}
+Trivy Vulnerability Scan Results ({{ .Target }})
+VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information
+{{ range .Vulnerabilities }}{{ .VulnerabilityID }},{{ .Severity }},{{ range $key, $value := .CVSS }}{{ if (eq $key "nvd") }}{{ .V3Score }}{{ end }}{{ end }},"{{ .Title }}","{{ .PkgName }}","{{ .InstalledVersion }}","{{ .FixedVersion }}",{{ .PrimaryURL }}
+{{ end }}
+Trivy Dependency Scan Results ({{ .Target }})
+ID,Name,Version,Notes
+{{ range .Packages }}{{ .ID }},{{ .Name }},{{ .Version }}
+{{ end }}
+{{ end }}
\ No newline at end of file
diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml
index 64dcb7ecf4c..cbf35ef22dc 100644
--- a/.github/workflows/code_scan.yml
+++ b/.github/workflows/code_scan.yml
@@ -27,8 +27,9 @@ jobs:
         with:
           name: trivy-results
           path: |
-            .tox/trivy-scan-results.txt
             .tox/trivy-spdx-otx.json
+            .tox/trivy-results-otx.txt
+            .tox/trivy-results-otx.csv
   Bandit:
     runs-on: ubuntu-20.04
     steps:
diff --git a/tox.ini b/tox.ini
index 9c58fcf33da..e86d50f9d58 100644
--- a/tox.ini
+++ b/tox.ini
@@ -120,8 +120,9 @@ commands =
     bash -c "pip freeze > requirements.txt"
     curl -L0 {env:TRIVY_DOWNLOAD_URL} -o {toxworkdir}/trivy.tar.gz
     tar -xzf {toxworkdir}/trivy.tar.gz -C {toxworkdir}
-    {toxworkdir}/trivy fs -c .ci/trivy.yaml --list-all-pkgs -o {toxworkdir}/trivy-scan-results.txt ./requirements.txt
-    {toxworkdir}/trivy fs -c .ci/trivy.yaml --format spdx-json -o {toxworkdir}/trivy-spdx-otx.json ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml -o {toxworkdir}/trivy-results-otx.txt ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml --list-all-pkgs --format template --template "@.ci/csv.tmpl" -o {toxworkdir}/trivy-results-otx.csv ./requirements.txt
+    {toxworkdir}/trivy fs -d -c .ci/trivy.yaml --format spdx-json -o {toxworkdir}/trivy-spdx-otx.json ./requirements.txt
     rm {toxworkdir}/trivy.tar.gz
     rm {toxworkdir}/trivy
     rm requirements.txt