Include unused suppression rules in output report

[gtaylor1981]

The UnusedSuppressionRuleAnalyzer is very useful but unfortunately its output is buried in the build output.
Ideally, we would have zero suppressions that we did not need.

Would it instead be possible to include each failed suppression in the output report, e.g. as failed testcases?
This would be opt-in, with a setting like report-unused-suppressions-as-failures.

Alternatives (such as using grep on the build output) aren't as clean, e.g. they might fail if the logged message changes.
They would also have to be implemented in each build script we have.

The proposed solution would just need enabling in the options, then would automatically be compatible with our existing usage.

A bonus feature could also be that active suppression rules (i.e. those that are not unused) could be listed as successful testcases, making it possible to see all suppressions as part of the output, regardless of whether they were unused or not.

[aikebah]

Suppression rules' usage are in my view not a proper part of the report. The report should concern the vulnerabilities encountered.

Successful suppression rules' effects are already in the output (succesfully suppressed vulns are reported as skipped tests).

What I could envision to address your initial concern (proliferation of obsolete suppressions) would be a configuration-flag to opt-in on breaking the build on unused suppressions.

[danshome]

I like the idea of being able to break the build if you have unused suppression rules. +1 for me.