Switch to STDERR and STDOUT instead of console.log to split info and output

Author: aegilops

src/cli.ts

@@ -99,10 +99,10 @@ async function main() {
     caBundlePath: argv["ca-bundle"] as string | undefined,
   });
 
-  if (!quiet) console.log(chalk.cyan(offline ? "Loading SBOMs from cache..." : "Collecting SBOMs from cache & GitHub..."));
+  if (!quiet) process.stderr.write(chalk.cyan(offline ? "Loading SBOMs from cache..." : "Collecting SBOMs from cache & GitHub...") + "\n");
   const sboms = await collector.collect();
   const summary = collector.getSummary();
-  if (!quiet) console.log(chalk.green(`Done. Success: ${summary.successCount} / ${summary.repositoryCount}. Failed: ${summary.failedCount}. Cached: ${summary.skippedCount}`));
+  if (!quiet) process.stderr.write(chalk.green(`Done. Success: ${summary.successCount} / ${summary.repositoryCount}. Failed: ${summary.failedCount}. Cached: ${summary.skippedCount}`) + "\n");
 
   const mas = new MalwareAdvisorySync({
     token: token!,
@@ -114,10 +114,10 @@ async function main() {
 
   if (argv["sync-malware"]) {
 
-    if (!quiet) console.log(chalk.cyan("Syncing malware advisories from GitHub Advisory Database..."));
+    if (!quiet) process.stderr.write(chalk.cyan("Syncing malware advisories from GitHub Advisory Database...") + "\n");
 
     const { added, updated, total } = await mas.sync();
-    if (!quiet) console.log(chalk.green(`Malware advisories sync complete. Added: ${added}, Updated: ${updated}, Total cached: ${total}`));
+    if (!quiet) process.stderr.write(chalk.green(`Malware advisories sync complete. Added: ${added}, Updated: ${updated}, Total cached: ${total}`) + "\n");
   }
 
   let malwareMatches: import("./malwareMatcher.js").MalwareMatch[] | undefined;
@@ -132,32 +132,32 @@ async function main() {
         if (matcher) {
           const { kept, ignored } = matcher.filter(malwareMatches);
           if (!argv.quiet) {
-            console.log(chalk.yellow(`Ignored ${ignored.length} malware match(es) via ignore file; ${kept.length} remaining.`));
+            process.stderr.write(chalk.yellow(`Ignored ${ignored.length} malware match(es) via ignore file; ${kept.length} remaining.`) + "\n");
           }
           malwareMatches = kept;
           // If writing SARIF we intentionally only report kept matches; optionally we could emit a log of ignored reasons.
         } else if (!argv.quiet) {
-          console.log(chalk.yellow(`Ignore file '${argv["ignore-file"]}' not found or failed to parse; proceeding without filtering.`));
+          process.stderr.write(chalk.yellow(`Ignore file '${argv["ignore-file"]}' not found or failed to parse; proceeding without filtering.`) + "\n");
         }
       } catch (e) {
         console.error(chalk.red(`Failed applying ignore file: ${(e as Error).message}`));
       }
     }
-    if (!quiet) console.log(chalk.magenta(`Malware matches found: ${malwareMatches?.length ?? 0}`));
+    if (!quiet) process.stderr.write(chalk.magenta(`Malware matches found: ${malwareMatches?.length ?? 0}`) + "\n");
     if (malwareMatches) {
       if (!quiet) {
         for (const m of malwareMatches) {
-          console.log(`${m.repo} :: ${m.purl} => ${m.advisoryGhsaId} (${m.vulnerableVersionRange ?? "(no range)"}) {advisory: ${m.reason}} ${m.advisoryPermalink}`);
+          process.stdout.write(`${m.repo} :: ${m.purl} => ${m.advisoryGhsaId} (${m.vulnerableVersionRange ?? "(no range)"}) {advisory: ${m.reason}} ${m.advisoryPermalink}\n`);
         }
       }
       if (argv.sarifDir) {
         const sarifMap = buildSarifPerRepo(malwareMatches, mas.getAdvisories());
         writeSarifFiles(argv.sarifDir as string, sarifMap);
         if (sarifMap.size === 0) {
-          if (!quiet) console.log(chalk.yellow("No SARIF files generated."));
+          if (!quiet) process.stderr.write(chalk.yellow("No SARIF files generated.") + "\n");
           return;
         }
-        if (!quiet) console.log(chalk.green(`Wrote SARIF for ${sarifMap.size} repos to ${argv.sarifDir}`));
+        if (!quiet) process.stderr.write(chalk.green(`Wrote SARIF for ${sarifMap.size} repos to ${argv.sarifDir}`) + "\n");
         if (argv.uploadSarif) {
           if (!token) console.error(chalk.red("Token required for SARIF upload"));
           else await uploadSarifPerRepo({ sarifDir: argv.sarifDir as string, matches: malwareMatches, advisories: mas.getAdvisories(), sboms, token, baseUrl: argv["base-url"] as string | undefined, caBundlePath: argv["ca-bundle"] as string | undefined });
@@ -167,19 +167,19 @@ async function main() {
   }
   // Incremental write now handled inside collector; retain legacy behavior only if user wants to force a re-write
   if (!quiet && argv.syncSboms && argv["sbom-cache"] && summary.repositoryCount === summary.skippedCount) {
-    console.log(chalk.blue("All repositories reused from cache (no new SBOM writes)."));
+    process.stderr.write(chalk.blue("All repositories reused from cache (no new SBOM writes).") + "\n");
   }
 
   const runSearch = (purls: string[]) => {
     const results = collector.searchByPurlsWithReasons(purls);
-    if (!quiet) console.log(chalk.magenta(`Search results for ${purls.length} purl(s):`));
+    if (!quiet) process.stderr.write(chalk.magenta(`Search results for ${purls.length} purl(s):`) + "\n");
     if (!results.size) {
-      if (!quiet) console.log("No matches.");
+      if (!quiet) process.stdout.write("No matches.\n");
       return;
     }
     for (const [repo, entries] of results.entries()) {
-      console.log(chalk.bold(repo));
-      for (const { purl, reason } of entries) console.log(`  - ${purl} {query: ${reason}}`);
+      process.stdout.write(chalk.bold(repo) + "\n");
+      for (const { purl, reason } of entries) process.stdout.write(`  - ${purl} {query: ${reason}}\n`);
     }
   };
   // Load queries from file if provided
@@ -193,7 +193,7 @@ async function main() {
         if (!line || line.startsWith("#")) continue;
         filePurls.push(line);
       }
-      if (filePurls.length && !quiet) console.log(chalk.cyan(`Loaded ${filePurls.length} PURL query(ies) from file`));
+      if (filePurls.length && !quiet) process.stderr.write(chalk.cyan(`Loaded ${filePurls.length} PURL query(ies) from file`) + "\n");
     } catch (e) {
       console.error(chalk.red(`Failed to read purl file: ${e instanceof Error ? e.message : String(e)}`));
       process.exit(1);
@@ -217,7 +217,7 @@ async function main() {
           if (malwareMatches) existing.malwareMatches = existing.malwareMatches || malwareMatches; // preserve if already set
           const payload = JSON.stringify(existing, null, 2) + "\n";
           fs.writeFileSync(argv.outputFile as string, payload, "utf8");
-          if (!quiet) console.log(chalk.green(`Wrote search JSON to ${argv.outputFile}`));
+          if (!quiet) process.stderr.write(chalk.green(`Wrote search JSON to ${argv.outputFile}`) + "\n");
         } catch (e) {
           console.error(chalk.red(`Failed to write output file: ${e instanceof Error ? e.message : String(e)}`));
           process.exit(1);
@@ -294,7 +294,7 @@ async function main() {
     if (argv.outFile) {
       try {
         fs.writeFileSync(argv.outFile as string, csvPayload, "utf8");
-        if (!quiet) console.log(chalk.green(`Wrote CSV to ${argv.outFile}`));
+        if (!quiet) process.stderr.write(chalk.green(`Wrote CSV to ${argv.outFile}`) + "\n");
       } catch (e) {
         console.error(chalk.red(`Failed to write CSV file: ${e instanceof Error ? e.message : String(e)}`));
         process.exit(1);
@@ -314,7 +314,7 @@ async function main() {
       }
       existing.malwareMatches = malwareMatches;
       fs.writeFileSync(argv.outputFile as string, JSON.stringify(existing, null, 2) + "\n", "utf8");
-      if (!quiet) console.log(chalk.green(`Wrote malware matches JSON to ${argv.outputFile}`));
+      if (!quiet) process.stderr.write(chalk.green(`Wrote malware matches JSON to ${argv.outputFile}`) + "\n");
     } catch (e) {
       console.error(chalk.red(`Failed to write malware matches to output file: ${e instanceof Error ? e.message : String(e)}`));
     }
@@ -324,8 +324,8 @@ async function main() {
     // Prefer readline for native shell history (arrow up/down) so users can edit previous queries.
     if (process.stdin.isTTY && process.stdout.isTTY) {
       if (!quiet) {
-        console.log(chalk.cyan("Interactive mode: enter PURL queries (supports semver ranges, wildcards, version ranges)."));
-        console.log(chalk.cyan("Tips: Use arrow keys for history. Blank line or Ctrl+C on empty prompt exits. Ctrl+C on a non-empty line clears it."));
+        process.stderr.write(chalk.cyan("Interactive mode: enter PURL queries (supports semver ranges, wildcards, version ranges).") + "\n");
+        process.stderr.write(chalk.cyan("Tips: Use arrow keys for history. Blank line or Ctrl+C on empty prompt exits. Ctrl+C on a non-empty line clears it.") + "\n");
       }
       const rl = readline.createInterface({
         input: process.stdin,

src/malwareMatcher.ts

@@ -334,11 +334,9 @@ export async function uploadSarifPerRepo(opts: {
         sarif: sarifB64,
         tool_name: our_tool_name
       });
-      // eslint-disable-next-line no-console
-      console.log(`Uploaded SARIF for ${repo}`);
+      process.stderr.write(`Uploaded SARIF for ${repo}\n`);
     } catch (e) {
-      // eslint-disable-next-line no-console
-      console.error(`Failed to upload SARIF for ${repo}: ${e instanceof Error ? e.message : String(e)}`);
+      process.stderr.write(`Failed to upload SARIF for ${repo}: ${e instanceof Error ? e.message : String(e)}\n`);
     }
   }
 }

src/sbomCollector.ts

@@ -98,7 +98,7 @@ export class SbomCollector {
       // find just the path for a single org, if given
       const loadPath = this.opts.org ? `${this.opts.loadFromDir}/${this.opts.org}` : this.opts.loadFromDir;
 
-      if (!this.opts.quiet) console.log(chalk.blue(`Loading SBOMs from cache at ${loadPath}`));
+      if (!this.opts.quiet) process.stderr.write(chalk.blue(`Loading SBOMs from cache at ${loadPath}`) + "\n");
 
       try {
         this.sboms = readAll(loadPath);
@@ -129,7 +129,7 @@ export class SbomCollector {
     }
 
     if (this.opts.enterprise && !this.opts.quiet) {
-      console.log(chalk.blue(`Getting list of organizations for enterprise ${this.opts.enterprise}`));
+      process.stderr.write(chalk.blue(`Getting list of organizations for enterprise ${this.opts.enterprise}`) + "\n");
     }
 
     const orgs = this.opts.org ? [this.opts.org] : await this.listEnterpriseOrgs(this.opts.enterprise!);
@@ -139,7 +139,7 @@ export class SbomCollector {
     const orgRepoMap: Record<string, { name: string; pushed_at?: string; updated_at?: string; default_branch?: string }[]> = {};
     let totalRepos = 0;
     for (const org of orgs) {
-      if (!this.opts.quiet) console.log(chalk.blue(`Listing repositories for org ${org}`));
+      if (!this.opts.quiet) process.stderr.write(chalk.blue(`Listing repositories for org ${org}`) + "\n");
       if (this.opts.lightDelayMs) await new Promise(r => setTimeout(r, this.opts.lightDelayMs));
       const repos = await this.listOrgRepos(org);
       orgRepoMap[org] = repos;
@@ -167,7 +167,7 @@ export class SbomCollector {
 
     for (const org of orgs) {
       if (!this.opts.showProgressBar && !this.opts.quiet) {
-        console.log(chalk.blue(`Collecting SBOMs for org ${org}`));
+        process.stderr.write(chalk.blue(`Collecting SBOMs for org ${org}`) + "\n");
       }
       const repos = orgRepoMap[org];
       const repoNames = new Set(repos.map(r => r.name));

src/test-fixture-match.ts

@@ -12,9 +12,9 @@ const cache = JSON.parse(fs.readFileSync(cachePath, "utf8"));
 const advisories: MalwareAdvisoryNode[] = cache.advisories;
 
 const matches = matchMalware(advisories, sboms);
-console.log("Matches:");
+process.stdout.write("Matches:\n");
 for (const m of matches) {
-  console.log(`${m.repo} => ${m.purl} matched advisory ${m.advisoryGhsaId} range ${m.vulnerableVersionRange}`);
+  process.stdout.write(`${m.repo} => ${m.purl} matched advisory ${m.advisoryGhsaId} range ${m.vulnerableVersionRange}\n`);
 }
 if (!matches.length) {
   console.error("No matches found - expected chalk 5.6.1");