A setup to manage vulnerabilities on Jira and allow automation of creation and closing of Jira tickets based on scan reports.
Must have:
- 1 issue type name "Vulnerability" for creation of Jira issues.
Must have:
- Open
- Auto Closed (Custom)
As JQL doesn't support exact match for short text fields (e.g. Finding Source is one of them), do not use similar 'Finding Source' names. For example, if you have the following 'Finding Source' 'Trivy' and 'Trivy-SCA', when the 'Trivy' triggers, it will affect 'Trivy-SCA' issues also. You have been warned!
Use 'Finding Source':
- 'SomeScanner'
Avoid:
- 'Some Scanner'
- 'Some_Scanner'
- 'Some-Scanner'
If an issue has been 'Closed' or 'Auto Closed', and the finding with the same digest exist, the existing 'Closed' or 'Auto Closed' will be re-opened up.
The Jira reporting tool supports a custom file format known as the VULN JSON or vJSON in short. The expected file format is:
{
"format": "vjson",
"results": [
{
"summary": "PATH_TRAVERSAL_IN - This API (java/io/File.<init>(...",
"description": [
"This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input\n",
"A file is opened to read its content. The filename comes from an input parameter.\nIf an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled\nby the user. If that is the case, the reported instance is a false positive.\nFor further information, please visit https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN\n",
"Affected artifact(s):\nsrc/main/java/com/org_name/module/config/SomeConfig.java - sslConfig = sslConfig.pemFile(new File(somePath)); (Line: 84)"
],
"cve_id": "PATH_TRAVERSAL_IN",
"raw_severity": "Critical"
},
{
...
}
]
}