Machine-readable output

[rossburton]

Can we have a mode to have only machine-readable output?

For example the output is currently:

$ cve-bin-tool -x /data/poky-tmp/master/work/corei7-64-poky-linux/libgcrypt/1.8.5-r0/image/ -s ffmpeg
Checking if CVE data needs an update.
Last Update: 2019-12-09
Local database has been updated in the past 24h.
New data not downloaded.  Use "-u now" to force an update
Skipping checker: ffmpeg
('gnupg', 'libgcrypt', '%1.8.5%')

Overall CVE summary:
There are 1 files with known CVEs detected
Known CVEs in ( ' l i b g c r y p t ' ,   ' 1 . 8 . 5 ' ):
libgcrypt,1.8.5,CVE-2018-12433,MEDIUM
libgcrypt,1.8.5,CVE-2018-12437,MEDIUM
libgcrypt,1.8.5,CVE-2018-12438,MEDIUM

If I want to parse that I need to drop lines until I find "Known CVEs in" and then I have a CSV format. A machine-readable mode would just be that output, and the not rest.

[terriko]

This is a great idea! Probably this could happen at the same time as the output cleanup for --quiet and --log unification.

Although I'm pretty sure it's going to result in me having to write more security validation tests because now I'll have CSV output. Oh well, I'll deal. ;)

[terriko]

This one probably could have been closed quite a while ago. We've now got json (intended as machine readable alternative) and probably the csv is relatively easy to parse as well. I know some folk are still parsing the console output/logs but we're aiming to have all the information from those included in the json.