fix: follow GHSA best practices for rate limiting (#370)

jeremylong · web-flow · commit a9498ed06677 · 2025-11-17T06:04:56.000-05:00
* fix: add out argument for GHSA command
Ensures banner, etc. are not in the JSON output

* build(deps): bump open-vulnerability-clients from 9.0.1 to 9.0.2

* build: bump release version
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -17,6 +17,7 @@ description = "A java CLI to call the NVD API"
 group = "io.github.jeremylong"
 
 repositories {
+    mavenLocal()
     mavenCentral()
     gradlePluginPortal()
 }
@@ -30,7 +31,7 @@ val commonsLang3Version by extra("3.17.0")
 
 dependencies {
     compileOnly("com.github.spotbugs:spotbugs-annotations:${spotbugs.toolVersion.get()}")
-    implementation("io.github.jeremylong:open-vulnerability-clients:9.0.0")
+    implementation("io.github.jeremylong:open-vulnerability-clients:9.0.2")
     implementation("info.picocli:picocli-spring-boot-starter:4.7.7")
     constraints {
         implementation("org.springframework.boot:spring-boot-starter:3.4.2")
diff --git a/gradle.properties b/gradle.properties
@@ -1 +1 @@
-version = 9.0.1
+version = 9.0.2
diff --git a/src/main/java/io/github/jeremylong/vulnz/cli/commands/GHSACommand.java b/src/main/java/io/github/jeremylong/vulnz/cli/commands/GHSACommand.java
@@ -36,6 +36,8 @@
 import org.springframework.stereotype.Component;
 import picocli.CommandLine;
 
+import java.io.FileOutputStream;
+import java.io.OutputStream;
 import java.time.ZonedDateTime;
 import java.util.Collection;
 import java.util.Objects;
@@ -66,6 +68,8 @@ public class GHSACommand extends AbstractJsonCommand {
     private String classifications;
     @CommandLine.Option(names = {"--interactive"}, description = "Displays a progress bar")
     private boolean interactive;
+    @CommandLine.Option(names = {"--out"}, description = "Output file path (writes to stdout if not specified)")
+    private String output;
     // yes - this should not be a string, but seriously down the call path the HttpClient
     // doesn't support passing a header in as a char[]...
     private String apiKey = null;
@@ -127,37 +131,41 @@ public Integer timedCall() throws Exception {
         objectMapper.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
 
         JsonFactory jfactory = objectMapper.getFactory();
-        JsonGenerator jsonOut = jfactory.createGenerator(System.out, JsonEncoding.UTF8);
-        if (isPrettyPrint()) {
-            jsonOut.useDefaultPrettyPrinter();
-        }
-
-        jsonOut.writeStartObject();
-        jsonOut.writeFieldName("advisories");
-        jsonOut.writeStartArray();
         BasicOutput output = new BasicOutput();
-        try (GitHubSecurityAdvisoryClient api = builder.build();
+        try (OutputStream outStream = (this.output != null) ? new FileOutputStream(this.output) : System.out;
+                JsonGenerator jsonOut = jfactory.createGenerator(outStream, JsonEncoding.UTF8);
+                GitHubSecurityAdvisoryClient api = builder.build();
                 IProgressMonitor monitor = new ProgressMonitor(interactive, "GHSA")) {
+            if (isPrettyPrint()) {
+                jsonOut.useDefaultPrettyPrinter();
+            }
+
+            jsonOut.writeStartObject();
+            jsonOut.writeFieldName("advisories");
+            jsonOut.writeStartArray();
+            LOG.debug("START: Requesting GHSA data");
             while (api.hasNext()) {
                 Collection<SecurityAdvisory> list = api.next();
+                LOG.debug("Retrieved {} GHSA records", (list != null) ? list.size() : 0);
                 if (list != null) {
                     output.setSuccess(true);
                     output.addCount(list.size());
                     for (SecurityAdvisory c : list) {
                         jsonOut.writeObject(c);
                     }
+                    jsonOut.flush();
                     monitor.updateProgress("GHSA", output.getCount(), api.getTotalAvailable());
                 } else {
                     output.setSuccess(false);
                     output.setReason(String.format("Received HTTP Status Code: %s", api.getLastStatusCode()));
                     break;
                 }
             }
+            LOG.debug("END: Requesting GHSA data");
             output.setLastModifiedDate(api.getLastUpdated());
             jsonOut.writeEndArray();
             jsonOut.writeObjectField("results", output);
             jsonOut.writeEndObject();
-            jsonOut.close();
 
             if (!output.isSuccess()) {
                 String msg = String.format("%nFAILED: %s", output.getReason());
