I would like to include upstream SSC results in local SCA scans to address the following issue,
1. We use Fortify SCA to scan for source code vulnerabilities and upload the report to SSC.
2. SSC processes the artifact and uses our custom issue template and categorizes critical/high vulnerabilities.
3. For example, if we there are 3 high vulnerabilities, our issue templates decides one of them is not a high vulnerability and downgrades it to a Low one.
4. We mark one of the high vulnerability as "Not an issue" and now only once high vulnerability needs to be fixed.
5. We scan the codebase locally next time and when we look for high vulnerabilities, the local fpr reports them as 3.
6. We have already marked 2 of them accordingly as not High in SSC and would like to include the upstream SSC results with the local artifact.
7. When upstream SSC results are included in local fpr, we would like to see only high vulnerability in local fpr as the other 2 are downgraded/marked in SSC.
I am interested to know this can be achieved.