Add a check to see if a vunerability above a certain severity is being ignored

[lewisdaly]

Hi @naugtur! Thanks for this tool you've built, we use it quite a bit at mojaloop.

We're currently looking for a way to limit the severity of vulnerabilities that can be ignored by developers. Say, for example, there are 2 vulnerabilities without fixes on a project, one is low and the other high. A developer may go and ignore both of those vulnerabilities to keep on working on their project, but we now have very little visibility into the severity of the vulnerabilities being ignored.

We want a way for our CI/CD tool to check if a developer has ignored a vulnerability above a certain severity, say high or critical, and either fail a build, or allow us to capture that information elsewhere.

Has this feature request come up before? I can think of a couple ways I'd implement it with wrappers around your tool, but I'm thinking it would be better to integrate into the npm-audit-resolver itself. I'm happy to spend some time contributing to this myself if you can help me get started.

[naugtur]

That's a great idea.
I'm in the process of a major rewrite with npm7 support and there's an opportunity to do this.

Resolve file has a field with rules. We could implement a rule to define lowest severity that can't be ignored and fail check if it's found.

I'll see if the branch I'm working on is in good shape and guide you in - most likely on Friday

[lewisdaly]

Great! Thanks @naugtur

[naugtur]

@lewisdaly I've created a branch with // TODO comments for you:
#50

For your first implementation I think you should hardcode the rule for severity level as I forgot to expose the getRules function from audit-resolve-core ;)

Let me know if this is helpful. We can jump into a live chat somewhere if you need more. Voice is also an option next week. I can barely speak today, hoping to get better.

[naugtur]

@lewisdaly Are you interested in coming back to this?

[naugtur]

@lewisdaly You interested in doing it? I'm finally going to set some time aside to finish v3 and release it as the main version, so you could still get that in.