The sourceanalyzer is run as part of a Jenkins pipeline job. The scan job in the pipeline uploads the fpr file on Fortify SSC. There is a need to log in to SSC to view the result, even when there may not be any new issues. We are thinking of notifying the security team of the status of the scan without having to log in to Fortify SSC. Below is the proposed approach -
1. After the new fpr file is generated, download the previous analyzed result from SSC.
2. Merge the two fpr files. Does the FPRUtility return any status code indicating new issues? We would like to use this status to notify developers about the scan result.
Has anyone done something similar in their org? Greatly appreciate any pointers on how to achieve this.
Thanks in advance!!