Parse the result from Retire.js and present it as Azure DevOps warnings

Author: ThomasArdal

tasks/retire/index.js

@@ -8,7 +8,7 @@ async function run() {
         const failOnVulnerabilities = tl.getBoolInput('failOnVulnerabilities', false);
 
         // Construct the retire command
-        let command = 'retire --colors';
+        let command = 'retire --outputformat json';
 
         if (verbose) {
             command += ' --verbose';
@@ -24,16 +24,70 @@ async function run() {
 
         // Install Retire.js
         tl.debug('Installing Retire.js...');
-        await tl.exec('npm', ['install', '-g', 'retire']);
+        await tl.exec('npm', ['install', '-g', 'retire'], {silent: true});
 
-        // Run Retire.js
+        // Run Retire.js and capture output
         tl.debug(`Executing command: ${command}`);
-        await tl.exec('sh', ['-c', command]); // Use 'sh -c' for cross-platform compatibility
+        const result = tl.execSync('sh', ['-c', command], {silent: true});
 
-        tl.setResult(tl.TaskResult.Succeeded, 'Retire completed successfully');
+        const stdout = result.stdout?.toString() || '';
+        let hasRealVulnerabilities = false;
+
+        if (stdout.trim().startsWith('{')) {
+            try {
+                const parsed = JSON.parse(stdout);
+                const matches = parsed.data || [];
+
+                for (const entry of matches) {
+                    const file = entry.file;
+                    const results = Array.isArray(entry.results) ? entry.results : [];
+
+                    for (const vuln of results) {
+                        const vulnerabilities = Array.isArray(vuln.vulnerabilities) ? vuln.vulnerabilities : [];
+                        const hasVulns = vulnerabilities.length > 0;
+
+                        const component = vuln.component || 'unknown';
+                        const version = vuln.version || 'unknown';
+                        const identifiers = vuln.identifiers || {};
+                        const cves = identifiers.CVE?.join(', ') || 'None';
+                        const infoLinks = hasVulns
+                            ? vulnerabilities.flatMap(v => v.info || []).join(', ') || 'None'
+                            : 'None';
+                        const severity = (vulnerabilities.length > 0 && vulnerabilities[0].severity)
+                            ? vulnerabilities[0].severity
+                            : 'none';
+
+                        const message =
+`- Component: ${component}
+- Version: ${version}
+- File: ${file}
+- Severity: ${severity}
+- CVEs: ${cves}
+- Info: ${infoLinks}`;
+
+                        if (hasVulns) {
+                            hasRealVulnerabilities = true;
+                            tl.warning(`Vulnerable library found:\n${message}`);
+                        } else if (verbose) {
+                            console.log(`Library matched but no known vulnerabilities:\n${message}`);
+                        }
+                    }
+                }
+            } catch (err) {
+                tl.warning('Could not parse JSON output from Retire.js');
+            }
+        } else {
+            tl.warning('No JSON output detected from Retire.js');
+        }
+
+        if (hasRealVulnerabilities && failOnVulnerabilities) {
+            tl.setResult(tl.TaskResult.Failed, 'Vulnerabilities were found and failOnVulnerabilities is true.');
+        } else {
+            tl.setResult(tl.TaskResult.Succeeded, 'Retire completed successfully');
+        }
     } catch (err) {
         tl.setResult(tl.TaskResult.Failed, `Task failed: ${err.message}`);
     }
 }
 
-run();
+run();

tasks/retire/task.json

@@ -12,8 +12,8 @@
   "author": "elmah.io",
   "version": {
     "Major": 1,
-    "Minor": 0,
-    "Patch": 8
+    "Minor": 1,
+    "Patch": 20
   },
   "inputs": [
     {

vss-extension.json

@@ -3,7 +3,7 @@
   "id": "retire-extension",
   "name": "Retire.js",
   "publisher": "elmahio",
-  "version": "1.0.8",
+  "version": "1.1.20",
   "tags": [
     "javascript",
     "security",