Automatic Jira creation

Hi everyone!

If we integrate Fortify with a bug tracker like Jira, is it possible to set up a configuration that creates a Jira for each issue found for an application-version without having to do it manually during triage? We would like to automate the creation of these Jiras, would it be possible through configuration?

Thank you very much

Regards

Angel

Parents
  • Out of the box I believe that the SSC Server with our JIRA plugin and the SSC Collaboration Module could support this, but it is primarily aimed at manual submission of the defects to JIRA, either individually or as a batch submission.  The concern is that you would still want to audit the Issues in SSC to prioritize them before deciding which ones need to be submitted to JIRA.  also, each Project/Application container defined in SSC Server may use the same defect system connection, or differing ones, as you need and configure them.

    There are ways to automate the Audit phase in SSC, including the use of Process Templates for assigning the Issues to SSC Users, and the free Audit Assistant feature.  Audit Assistant must be enabled by your SSC Server admins, but it permits the SSC Issues to be submitted to our HPE Scan analytics site (metadata only) and that then auto-assigns the Analysis tag (Audit Status) for most if not all of the SSC Issues.  This can save substantial time for that manual audit review process with a high level of confidence in the Analysis tags set.

    The Audit Assistant process may be available to CLI via the included fortifyclient, FortifyBugTrackerUtility, or other included tools, so you might be able to run this automatically from your build system.  Check our Fortify Ecosystem for any additional tools that might be there, https://marketplace.microfocus.com/fortify/category/all?product=Fortify&version=All versions&company=All companies.

     

    Once your SSC Issues have been Audited, then they are ready to publish to your desired defect systems, e.g. JIRA.  When a defect is submitted to a remote system, SSC will populate the defect with the following sort of information.

    • Details that describe the type of issue uncovered
    • Remediation guidance, with instructions on the action to take
    • A link back to Software Security Center for complete issue details

    This defect submission is largely manual in the user guides for SSC Server, but it can be automated as well.  There was a speaker at the Protect 2016 conference who showed his on process using Jenkins to run the SSC Server's Report Generator from CLI and then import the XML output from there into JIRA.  That was not standard, but shows the freedom of configuration the solution offers.  I believe the JIRA plugin performs much of this for you, after configuration and testing.

    Overall, it is not a good practice to dump all SCA findings directly into your defect tracking system without some for of auditing.  This could overwhelm your developers with false positives, general noise, or uninteresting issues.

     

    Please review all of the supporting documentation for SSC including its Install guide, User guide, and any others.  Our Fortify Support team (support.fortify,.com) may also be able to help clarify specific concerns you may run across.

    • https://community.saas.hpe.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation
Reply
  • Out of the box I believe that the SSC Server with our JIRA plugin and the SSC Collaboration Module could support this, but it is primarily aimed at manual submission of the defects to JIRA, either individually or as a batch submission.  The concern is that you would still want to audit the Issues in SSC to prioritize them before deciding which ones need to be submitted to JIRA.  also, each Project/Application container defined in SSC Server may use the same defect system connection, or differing ones, as you need and configure them.

    There are ways to automate the Audit phase in SSC, including the use of Process Templates for assigning the Issues to SSC Users, and the free Audit Assistant feature.  Audit Assistant must be enabled by your SSC Server admins, but it permits the SSC Issues to be submitted to our HPE Scan analytics site (metadata only) and that then auto-assigns the Analysis tag (Audit Status) for most if not all of the SSC Issues.  This can save substantial time for that manual audit review process with a high level of confidence in the Analysis tags set.

    The Audit Assistant process may be available to CLI via the included fortifyclient, FortifyBugTrackerUtility, or other included tools, so you might be able to run this automatically from your build system.  Check our Fortify Ecosystem for any additional tools that might be there, https://marketplace.microfocus.com/fortify/category/all?product=Fortify&version=All versions&company=All companies.

     

    Once your SSC Issues have been Audited, then they are ready to publish to your desired defect systems, e.g. JIRA.  When a defect is submitted to a remote system, SSC will populate the defect with the following sort of information.

    • Details that describe the type of issue uncovered
    • Remediation guidance, with instructions on the action to take
    • A link back to Software Security Center for complete issue details

    This defect submission is largely manual in the user guides for SSC Server, but it can be automated as well.  There was a speaker at the Protect 2016 conference who showed his on process using Jenkins to run the SSC Server's Report Generator from CLI and then import the XML output from there into JIRA.  That was not standard, but shows the freedom of configuration the solution offers.  I believe the JIRA plugin performs much of this for you, after configuration and testing.

    Overall, it is not a good practice to dump all SCA findings directly into your defect tracking system without some for of auditing.  This could overwhelm your developers with false positives, general noise, or uninteresting issues.

     

    Please review all of the supporting documentation for SSC including its Install guide, User guide, and any others.  Our Fortify Support team (support.fortify,.com) may also be able to help clarify specific concerns you may run across.

    • https://community.saas.hpe.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation
Children