From bd66f76f8e87aa009760198cae45c2cc1bd57ac5 Mon Sep 17 00:00:00 2001
From: Hector M Lugo-Cordero <hector.m.lugocordero@disney.com>
Date: Thu, 23 Apr 2020 20:49:34 -0400
Subject: [PATCH 1/2] Added support for severity. Vulnerabilities with less
 severity than specified dont cause grunt task to fail. Not passing a severity
 in configuration keeps the former behavior of the task (i.e., any
 vulnerability triggers failure).

---
 tasks/retire.js | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/tasks/retire.js b/tasks/retire.js
index 3fc0d9b..293083c 100644
--- a/tasks/retire.js
+++ b/tasks/retire.js
@@ -25,6 +25,16 @@ module.exports = function (grunt) {
       var output = {};
       var scanedFile;
 
+      var levels = {
+          'none': 0,
+          'critical': 1,
+          'high': 2,
+          'medium': 3,
+          'low': 4,
+          'all': 9999
+      };
+      var severity = 0;
+
       function taskVulnLogger(msg) {
          var keyValue;
          keyValue = scanedFile.slice(scanedFile.lastIndexOf('/') + 1);
@@ -54,6 +64,12 @@ module.exports = function (grunt) {
       });
       var logger = log(options);
 
+      // get numeric rank for severity
+      severity = levels['all'];
+      if('severity' in options) {
+          severity = levels[options.severity];
+      }
+
       if (!options.nocache) {
          options.cachedir = path.resolve(os.tmpdir(), '.retire-cache/');
       }
@@ -95,9 +111,17 @@ module.exports = function (grunt) {
       // log (verbose) options before hooking in the reporter
       grunt.verbose.writeflags(options, 'Options');
 
+      vulnsFound = false;
       // required to throw proper grunt error
       scanner.on('vulnerable-dependency-found', function(e) {
-          vulnsFound = true;
+          e.results.forEach(function(result) {
+              result.vulnerabilities.forEach(function(vulnerability) {
+                  var sev = vulnerability.severity;
+                  if(levels[sev] <= severity) {
+                      vulnsFound = vulnsFound | true;
+                  }
+              });
+          });
       });
       var events = [];
       function once(name, fun) {
@@ -185,7 +209,14 @@ module.exports = function (grunt) {
 
       once('retire-done', function() {
          if(!vulnsFound){
-            grunt.log.writeln("No vulnerabilities found.");
+            if(!options.severity) {
+                grunt.log.writeln('No vulnerabilities found.');
+            }
+            else if(options.severity === 'none') {
+                grunt.log.writeln('Vulnerabilities ignored with severity set to none.');
+            } else {
+                grunt.log.writeln("No " + options.severity  + " vulnerabilities found.");
+            }
          }
          events.forEach(function(e) {
             grunt.event.removeAllListeners(e);

From 399c9c7b2ebf4108e8160bfe3a13306b537e4294 Mon Sep 17 00:00:00 2001
From: Hector M Lugo-Cordero <hector.m.lugocordero@disney.com>
Date: Thu, 23 Apr 2020 20:52:20 -0400
Subject: [PATCH 2/2] Updated documentation

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 85a8ced..43c8adc 100644
--- a/README.md
+++ b/README.md
@@ -43,6 +43,7 @@ Example configuration below shows default option values and the correct syntax t
       js: ['app/src/*.js'], /** Which js-files to scan. **/
       node: ['node'], /** Which node directories to scan (containing package.json). **/
       options: {
+         severity: 'all',            //accepted values are all, none, low, medium, high, critical
          proxy: 'http://something.something:8080',
          verbose: true,
          packageOnly: true,