Retirejs needs a way to exclude false positives from the use of alternative, patched versions of libraries #493
Description
Is your feature request related to a problem? Please describe.
There is a version of jquery, 1.12.4, that has several active CVEs which apply to it. However, Adobe maintains a patched version of this, 1.12.4-aem, that is not vulnerable for these CVEs. Retirejs doesn't see the distinction, though, and thus returns false positives if a site uses 1.12.4-aem.
Describe the solution you'd like
Retirejs needs to have the concept of an exclusion list -- a list of versions that are false positives, and that should be removed from the result set.
Describe alternatives you've considered
The alternative is to implement a local exclusion list, to cleanse the retirejs output before using it.
Additional context
I have provided a PR that implements this feature, with tests: #492