Description

I am using the cve-bin-tool as lib and not as cli. I have recognized that cve-bin-tool adds a logging handler (RichHandler) to the root logger. Is there any special reason for that?

It would be kind to add the handler just to the __package__ logger as quick fix:

LOGGER.addHandler(RichHandler())

Better set a NullHandler in the __init__.py and add the formatter and RichHandler in cli.main like the loglevel.

I think this is a leftover:

# Add the handlers to the root logger
root_logger = logging.getLogger()

The handler gets added during setting up the basicConfig.

I am fixing this right now like this:

from .db import MyCVEDatabase                                                                
from .scan import MyCVEScanner                                                         
from logging import getLogger                                                              
                                                                                                                                                                       
root_logger = getLogger()                                                                   
root_logger.handlers = []

Why?

Hijacking the root logger causes some trouble during logging for others who use cve_bin_tool as lib.

Environment context (optional)

• I am using cve-bin-tool version 3.4 from pypi with python3.11 on linux
• I am using the cvedb and cvescan with custom sources and with a modified scanner which adds the results automatically to the input sbom (cyclonedx) with some extra information.