Overview
Xray's integration with Atlassian's Jira Software is a powerful feature that enables the automatic creation of Jira tickets based on Xray identified security threats violations. As DevOps teams are already familiar with the workflow and user experience of Jira, this integration makes it easy to handle Xray detections. Once configured, Policy violations will appear as notifications in Jira, allowing your team to know where the violations are found, how to prioritize them, and take immediate action to resolve them.
|
How Does it Work?
Prerequisites
As a Jira admin, you must have the following information:
| You must have Jira Admin permissions to be able to connect Jira to Xray. For the Jira-related steps, refer to Atlassian Jira Documentation . |
- The supported authentication type should be one of OAuth1, OAuth2, or Basic Authentication.
- User credentials depend on the authentication type.
- Jira Project Name.
- Issue type (bug, security, escalation, etc).
- Jira labels (optional).
- Custom Field Mapping (optional).
Step 1 Creating a Jira Connection Profile
Connect Jira to Xray through the Xray interface using one of the supported authentication methods. Navigate to Administration > Xray Security & Compliance > Integrations > Jira Integration and select New Jira Integration.
- OAuth1
- OAuth2
- Basic Auth
| Xray Self Hosted | Xray Cloud | |
|---|---|---|
Jira On-Prem |
|
Note: This configuration is not recommended, as it would require allowing inbound connections to your local Jira instance. |
Jira Cloud |
|
|
Connecting Jira to Xray Using OAuth1
In Xray:
Define the following fields in the Xray Jira Integration:
Field
Description
Consumer Key
The consumer key that is provided in Jira when linking applications.
Jira server URL
The URL of your Jira deployment.
Generate a public key that you will define in your Jira.
In Jira:
Paste the generated Public Key you copied from the Xray interface.
Connecting Jira to Xray Using OAuth2
In Atlassian:
Required scope permissions
Read:issue-type:jira Read:project:jira Read:project.property:jira Read:user:jira Read:application-role:jira Read:avatar:jira Read:group:jira Read:issue-type-hierarchy:jira Read:project-category:jira Read:project-version:jira Read:project.component:jira Read:field:jira Read:field-configuration:jira Read:issue-meta:jira Write:issue:jira Write:comment:jira Write:comment.property:jira Write:attachment:jira Read:issue:jira Read:label:jira |
From the Developer Console of Atlassian, create an OAUTH2 Integration. Specify the callback URL as the JFrog server URL, such as:
https://artifactory:8082/xray/api/v1/ticketing/integrations/callback
In the Authentication details section, copy the Client ID and secret. You will use these in the Xray interface.
In Xray:
Define the following fields in the Xray Jira Integration:
Field | Description |
|---|---|
Client ID | The client ID you obtained from the Atlassian OAUTH2 integration. |
Client Secret | The client secret you obtained from the Atlassian OAUTH2 integration. |
Connecting Jira to Xray Using Basic Authentication
Define the following fields in the Xray Jira Integration:
Field | Description |
|---|---|
Username | The username you use for Jira authentication. |
Password | The password you use for Jira authentication. |
Installation Type | Type of installation of your Jira instance, Cloud or On-Prem |
Jira Server URL | URL of the Jira deployment. |
Ensure to test connectivity between Xray and Jira by clicking the Test Jira Connectivity button before proceeding to the next step. |
Step 2 Creating a Jira Configuration Profile
After successfully completing the connection between Jira and Xray, you need to create a Jira Configuration profile. As there are different Jira projects for different teams, the configuration profile enables you to define specific criteria for the issued Jira ticket per Jira project, such as labels and custom mappings defined in the Jira project.
Note the following:
|
As each violation creates a new Jira ticket, you might have multiple Jira tickets for the same violation in different versions of the Build, Release Bundle, or package. You can choose to only have one Jira ticket for the violation, by eliminating duplicate Jira tickets. If unchecked, multiple Jira tickets will be created for the same violation in all Builds, Release Bundles, and Packages.
List of Available Custom Fields
| Custom Field | Type |
|---|---|
| Xray_Impacted_Artifact | Text |
| Xray_Package_Type | Text |
| Xray_Vulnerability_Id | Text |
| Xray_Violation_Type | Text |
| Xray_Severity | Text |
| Xray_Severity_Source | Text |
| Xray_JFrog_Research_Severity | Text |
| Xray_CVEs | Text |
| Xray_CVSS_V2_Vector | Text |
| Xray_CVSS_V3_Vector | Text |
| Xray_CVSS_V2_Score | Text |
| Xray_CVSS_V3_Score | Text |
| Xray_Fix_Version | Text |
| Xray_Watch_Name | Text |
| Xray_Policy_Name | Text |
| Xray_Triggered_Rule | Text |
| Xray_Component_License_Id | Text |
| Xray_Created_Date | Text |
Xray Entities Custom Fields
List of Available Xray Labels
| Label | Type |
|---|---|
| Xray_Impacted_Artifact | Text |
| Xray_Impacted_Component | Text |
| Xray_Package_Type | Text |
| Xray_Vulnerability_Id | Text |
| Xray_Violation_Type | Text |
| Xray_Severity | Text |
| Xray_JFrog_Research_Severity | Text |
| Xray_CVEs | Text |
| Xray_CVSS_V2_Score | Text |
| Xray_CVSS_V3_Score | Text |
| Xray_Watch_Name | Text |
| Xray_Policy_Name | Text |
| Xray_Triggered_Rule | Text |
| Xray_Component_License_Id | Text |
Custom Fields and Labels in the Jira Issue
Step 3 Configuring the Policy Rules
Enable the Jira ticket creation in the Policy rules. In Policy > Policy Rules > Automatic Actions, select the Create Jira Ticket checkbox to trigger the creation of Jira tickets when violations are found that match the rule you defined in the Policy.
Step 4 Configuring the Watch with the Jira Configuration Profile
Attach the Jira Configuration Profile to the Watch that contains all of your Policies. In Watches > Watch settings select the Enable Jira Ticket Creation checkbox and from the drop-down list select the relevant Jira Configuration Profile. The Jira tickets that are triggered will contain the configurations you defined in the selected configuration profile.
Viewing Created Jira Tickets
Violations Report
When generating a Violations Report, the created Jira tickets appear in the details of each violation.
Jira Ticket
These are examples of the generated Jira tickets:
Security Violation
License Violation
REST API Support
You can enable Jira ticket creation using the following REST APIs: