feat(audit): add filtering by severity level (#6716)

**Summary**

Adds a `--level` flag to the `audit` command allowing to filter the audit output by severity greater than or equal to the provided value which can be (info, low, moderate, high or critical).

fixes #6668

CHANGELOG.md

@@ -4,6 +4,10 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## Master
 
+- Implements `yarn audit --level [severity]` flag to filter the audit command's output.
+
+[#6716](https://github.com/yarnpkg/yarn/pull/6716) - [**Rogério Vicente**](https://twitter.com/rogeriopvl)
+
 - Implements `yarn audit --groups group_name [group_name ...]`.
 
   [#6724](https://github.com/yarnpkg/yarn/pull/6724) - [**Tom Milligan**](https://github.com/tommilligan)

__tests__/commands/audit.js

@@ -214,6 +214,20 @@ test('audit groups only devDependencies omits dependencies from requires', () =>
   });
 });
 
+test('calls reporter auditAdvisory when using --level high flag', () => {
+  return runAudit([], {level: 'high'}, 'single-vulnerable-dep-installed', (config, reporter) => {
+    const apiResponse = getAuditResponse(config);
+    expect(reporter.auditAdvisory).toBeCalledWith(apiResponse.actions[0].resolves[0], apiResponse.advisories['118']);
+  });
+});
+
+test(`doesn't call reporter auditAdvisory when using --level critical flag`, () => {
+  return runAudit([], {level: 'critical'}, 'single-vulnerable-dep-installed', (config, reporter) => {
+    getAuditResponse(config);
+    expect(reporter.auditAdvisory).not.toHaveBeenCalled();
+  });
+});
+
 test('calls reporter auditAdvisory with correct data', () => {
   return runAudit([], {}, 'single-vulnerable-dep-installed', (config, reporter) => {
     const apiResponse = getAuditResponse(config);

src/cli/commands/audit.js

@@ -18,6 +18,7 @@ const gzip = promisify(zlib.gzip);
 
 export type AuditOptions = {
   groups: Array<string>,
+  level?: string,
 };
 
 export type AuditNode = {
@@ -127,14 +128,24 @@ export function setFlags(commander: Object) {
     groups => groups.split(' '),
     OWNED_DEPENDENCY_TYPES,
   );
+  commander.option(
+    '--level <severity>',
+    `Only print advisories with severity greater than or equal to one of the following: \
+    info|low|moderate|high|critical. Default: info`,
+    'info',
+  );
 }
 
 export function hasWrapper(commander: Object, args: Array<string>): boolean {
   return true;
 }
 
 export async function run(config: Config, reporter: Reporter, flags: Object, args: Array<string>): Promise<number> {
-  const audit = new Audit(config, reporter, {groups: flags.groups || OWNED_DEPENDENCY_TYPES});
+  const DEFAULT_LOG_LEVEL = 'info';
+  const audit = new Audit(config, reporter, {
+    groups: flags.groups || OWNED_DEPENDENCY_TYPES,
+    level: flags.level || DEFAULT_LOG_LEVEL,
+  });
   const lockfile = await Lockfile.fromDirectory(config.lockfileFolder, reporter);
   const install = new Install({}, config, reporter, lockfile);
   const {manifest, requests, patterns, workspaceLayout} = await install.fetchRequestFromCwd();
@@ -167,6 +178,8 @@ export async function run(config: Config, reporter: Reporter, flags: Object, arg
 }
 
 export default class Audit {
+  severityLevels = ['info', 'low', 'moderate', 'high', 'critical'];
+
   constructor(config: Config, reporter: Reporter, options: AuditOptions) {
     this.config = config;
     this.reporter = reporter;
@@ -292,9 +305,14 @@ export default class Audit {
       return;
     }
 
+    const startLoggingAt: number = Math.max(0, this.severityLevels.indexOf(this.options.level));
+
     const reportAdvisory = (resolution: AuditResolution) => {
       const advisory = this.auditData.advisories[resolution.id.toString()];
-      this.reporter.auditAdvisory(resolution, advisory);
+
+      if (this.severityLevels.indexOf(advisory.severity) >= startLoggingAt) {
+        this.reporter.auditAdvisory(resolution, advisory);
+      }
     };
 
     if (Object.keys(this.auditData.advisories).length !== 0) {