vulnix currently returns the following exit codes:

• 2 if a runtime exception occurred, or if all went well and there were non-whitelisted vulnerabilities
• 1 if the --show-whitelisted option was used and there was at least one whitelisted vulnerability (but no non-whitelisted ones)
• 0 otherwise

I find this a little confusing, and ended up having to use the (vulnix ... || true) > out.json trick to deal with non-zero exit codes.

A few thoughts:

1. The exit codes should be documented (in vulnix --help). I'm not sure how to achieve this with the click package we're using.
2. Runtime exception should yield a distinct exit code from non-failure exit codes.
3. There should be a flag to tell vulnix to return a non-zero exit code if and only if an exception occured.
4. Alternatively, vulnix could return non-zero exit codes only in the case of an exception, and we could add an explicit flag to fail if vulnerabilities were found.

What do you think?