Automatic Jira creation
If we integrate Fortify with a bug tracker like Jira, is it possible to set up a configuration that creates a Jira for each issue found for an application-version without having to do it manually during triage? We would like to automate the creation of these Jiras, would it be possible through configuration?
Thank you very much
Out of the box I believe that the SSC Server with our JIRA plugin and the SSC Collaboration Module could support this, but it is primarily aimed at manual submission of the defects to JIRA, either individually or as a batch submission. The concern is that you would still want to audit the Issues in SSC to prioritize them before deciding which ones need to be submitted to JIRA. also, each Project/Application container defined in SSC Server may use the same defect system connection, or differing ones, as you need and configure them.
There are ways to automate the Audit phase in SSC, including the use of Process Templates for assigning the Issues to SSC Users, and the free Audit Assistant feature. Audit Assistant must be enabled by your SSC Server admins, but it permits the SSC Issues to be submitted to our HPE Scan analytics site (metadata only) and that then auto-assigns the Analysis tag (Audit Status) for most if not all of the SSC Issues. This can save substantial time for that manual audit review process with a high level of confidence in the Analysis tags set.
The Audit Assistant process may be available to CLI via the included fortifyclient, FortifyBugTrackerUtility, or other included tools, so you might be able to run this automatically from your build system. Check our Fortify Ecosystem for any additional tools that might be there, https://marketplace.microfocus.com/fortify/category/all?product=Fortify&version=All%20versions&company=All%20companies.
Once your SSC Issues have been Audited, then they are ready to publish to your desired defect systems, e.g. JIRA. When a defect is submitted to a remote system, SSC will populate the defect with the following sort of information.
- Details that describe the type of issue uncovered
- Remediation guidance, with instructions on the action to take
- A link back to Software Security Center for complete issue details
This defect submission is largely manual in the user guides for SSC Server, but it can be automated as well. There was a speaker at the Protect 2016 conference who showed his on process using Jenkins to run the SSC Server's Report Generator from CLI and then import the XML output from there into JIRA. That was not standard, but shows the freedom of configuration the solution offers. I believe the JIRA plugin performs much of this for you, after configuration and testing.
Overall, it is not a good practice to dump all SCA findings directly into your defect tracking system without some for of auditing. This could overwhelm your developers with false positives, general noise, or uninteresting issues.
Please review all of the supporting documentation for SSC including its Install guide, User guide, and any others. Our Fortify Support team (support.fortify,.com) may also be able to help clarify specific concerns you may run across.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Yeah, we would really like to have this feature as well.
After uploading and new artifact if there were any NEW 'Critical' or 'High' Issues discovered we like to automatically open JIRA Task already set for the Application Profile to have the Security Engineering Dev. Contact(s) to look at this issues.
We know we can do this manually via the Jira7 Bugtracker plugin - but now we're looking for another level of automation into this process.
Is it possible to file a JIRA Bug/Task using a REST API and if so an example curl command would be very helpful (including the payload). How can we update a field (bugURL, for example) for an existing issue using a REST API?
Any suggested assistane would be greatly appreciated.