AppCheck supports integrating with Jira Cloud instances using version 2 of their REST API.
It may be possible to complete the setup with an on-premises Jira instance but this is not officially supported
If you have purchased Jira integration you will find some additional settings in both your organisation settings (the Settings button in the menu bar):
and your scan settings:
You will need to be an administrator user to access the organisation settings. If the Integrations section is still missing for you please raise a ticket with AppCheck Support.
You will need to configure Jira integration for your organisation before you are able to configure it for individual scans.
Configuring Jira Integration for Your Organisation
Basic Settings
This section describes the basic settings you will need to provide to enable JIRA integration and explains what each is used for and how to ascertain the correct value.
Incoming webhook base URL
If provided will validate that the webhook came from this domain. If the domains do not match the webhook will be rejected.
Webhook token
Secret token that forms part of the URL for receiving webhooks in AppCheck. This is unique for you so keep this token safe.
User email address
Login email for JIRA. it is recommended to use a dedicated user for webhooks.
User password
The user's API token.
JIRA Instance URL
The URL to the JIRA instance.
JIRA Project Key
Project key for the board in JIRA.
Default JIRA Issue Type
Often "Task". This is the template used to create new issues.
Advanced Settings
JIRA "Fixed" state ID
ID of the state in JIRA that should correspond to a vulnerabilities "Fixed" status in AppCheck
JIRA "Acceptable Risk" state ID
ID of the state in JIRA that should correspond to a vulnerabilities "Acceptable Risk" status in AppCheck
JIRA "False Positive" state ID
ID of the state in JIRA that should correspond to a vulnerabilities "False Positive" status in AppCheck
JIRA "Unfixed" state ID
ID of the state in JIRA that should correspond to a vulnerabilities "Unfixed" status in AppCheck
JIRA high priority ID
ID of the priority in JIRA that should correspond to a vulnerabilities CVSS status of "High"
JIRA medium priority ID
ID of the priority in JIRA that should correspond to a vulnerabilities CVSS status of "Medium"
JIRA low priority ID
ID of the priority in JIRA that should correspond to a vulnerabilities CVSS status of "Low"
Customising Jira IDs for Priority and Status
Leaving these as their default values can cause to workflow issues when syncing data between JIRA and AppCheck. This is caused by multiple AppCheck vulnerability statuses mapping to the default "Done" state in JIRA (ID 41). For example, you may mark a vulnerability as False Positive in AppCheck only for this to be set back to Fixed, since these both map to the same JIRA status ID.
If the defaults are interfering with JIRA workflows it is recommended to update the defaults with your own values to make a 1-to-1 mapping of AppCheck statuses to JIRA statuses/priorities.
Finding Jira IDs
This step requires some knowledge of XML and JSON to be able to find the correct data.
To find the IDs of JIRA statuses you will need to be logged into JIRA and have an issue within the project that AppCheck will be using. The issue must be within the same project as the IDs differ between projects (you can create a new issue now if required, it won't affect the integration).
Priorities
- Navigate to https://[Your Jira instance root URL]/rest/api/2/priority
eg https://example.jira.com/rest/api/2/priority
This will load some JSON data in your browser. - For each AppCheck status ("High", "Medium", and "Low") do the following
- Find the name of the of the Jira priority you want to use in the data
- Look for the "id" field beneath this name (or at the same indentation level if it is not above)
- Add this value to the integration settings page in the relevant field
- Save the data
Statuses
- Find the ID of an existing issue within the project.
The issue ID may be in the URL. It will take the following format XX-YYYY, where XX is the project key. It should be the last part of the URL: /jira/software/c/projects/JT/issues/XX-YYYY
If the issue ID is NOT there you can do the following:- Navigate to an issue on the project board in question.
- Click the more options menu, next to the share button.
- Select "Export XML". This should open up a new tab with an XML document.
- Locate the XML key at "rss > channel > item > key"
- Copy the value "xx-yyyy" (xx should be the key code for the JIRA project board)
- Navigate to https://[Your Jira instance root URL]/rest/api/2/issue/[issue-ID]/transitions.
- This will load some JSON data in your browser (it should be formatted correctly, if not you can paste the output into a JSON formatter like https://jsonformatter.org/).
- For each of the AppCheck statuses ("Fixed", "Acceptable Risk", "False Positive", "Unfixed") do the following:
- Locate the "name" key for the status e.g. "To Do".
- There should be an "id" field above this (or at the same indentation level if it is not above).
- Add this ID to the integration settings page in the relevant field.
Comments
0 comments
Article is closed for comments.