We should have a downstream QA test that tests that custom rulesets that filter out vulnerabilities works correctly.