By integrating Netsparker Cloud with JIRA you can have the vulnerabilities that were identified during a web application security scan automatically sent to JIRA, as issues.
This type of integration in Netsparker Cloud is called Endpoint Integration. Out of the box integration with Github, TFS and other workflow services will be available shortly.
Configuring the Endpoint Integration with JIRA
Introduction to the Test Setup
For this example we will use two websites and two different JIRA projects, to highlight how you can configure multiple integrations with JIRA.
The first website is a PHP website, for which we have a Kanban Project on JIRA. For this website, we will configure the integration in a way that all vulnerabilities with Medium or higher severity are automatically created in JIRA.
The second website is an ASP website, for which we have a Scrum Project on JIRA.For this website, we will configure the integration in a way that all vulnerabilities with Important or higher severity are automatically created in JIRA.
Configuring the JIRA Integration
To configure the integration with JIRA:
- Click on Notifications > New Integration entry from the left-hand sidebar menu.
- Click on Integrate JIRA, which is shown in the below screenshot.
- Fill in the project details, such as Name, URL, username, password and issue type as shown in the below screenshot. Additional details about every setting are available by hovering the mouse over the tooltip icon.
- Once ready click Save to save the connection settings.
- At this stage, you can also test the integration by clicking Create Sample Issue. If the issue is created successfully you will be notified with the issue number, as seen in the below screenshot.
- Click on the issue number to open the issue in a new browser tab window.
To add additional JIRA projects simply follow the same instructions above. So to add the ASP project we’ll follow the same instructions.
Managing JIRA Integrations
Once you have configured the JIRA integrations you can see them by clicking on the Notifications > Manage Integrations item in the left-hand sidebar menu. As seen in the below screenshot we have two configured integrations.
Use the available buttons to clone, edit or delete an existing integration.
Configuring the Automatic Sending of Vulnerabilities to JIRA
Now that the integrations for both the projects are configured we need to configure the Notifications. The Notifications will allow us to configure the vulnerability rules, so when vulnerabilities with a specific severity are detected on a website, they are sent to the respective project on JIRA.
Note: Notifications can also be used to automatically send Email and SMS alerts when vulnerabilities are identified on the target website.
Configuring a Notification to Send Vulnerabilities into JIRA
In this example, we will only configure a notification for the PHP project. The steps for creating a notification for the ASP project are the same. To create a new notification:
- Navigate to the Notifications > New Notification entry from the left-hand sidebar menu.
- As per the screenshot below, fill in and configure:
- A name for the notification
- The event when it should occur (in our case when the scan is finished)
- The lowest severity the vulnerability should have for it to be sent to JIRA
- The scope (in our case we just have one website)
- The Website
- The Integration Endpoint (in our case we have the JIRA - Kanban project)
- Click Save when ready.
You should be able to see the configured notifications when configuring a scan for that target. For example in the screenshot below we can see that if any Critical, Important and Medium severity vulnerabilities are found once a scan is completed, they will be sent to the JIRA - Kanban Project.
Reviewing the Scan Results & Imported Vulnerabilities
Once you configure the JIRA integration, a new Send To button is added to every reported vulnerability in the scan results. Once you click this button you will have the option to send the vulnerability to any of the integrated JIRA projects. If the vulnerability was already automatically created in JIRA you will be alerted of the issue number, as seen in the below screenshot.
Therefore in this example, all the vulnerabilities in this scan with Medium or higher severity have already been automatically sent to JIRA. Simply click on the issue number shown in the drop down menu to open the vulnerability details saved in JIRA in a new browser tab.
Sending Vulnerabilities Manually to JIRA
To manually send a vulnerability to JIRA, for example, to import an issue with an Information severity, click the Send To button and select the JIRA project from the drop down menu. Once the issue is imported you will be notified by Netsparker Cloud, including the issue number, as shown in the below screenshot.
Sending Multiple Issues Manually to JIRA
If you would like to send multiple issues at the same time to JIRA, highlight those issues in the list and use the Send To button in the top right-hand corner to select the JIRA project to which you would like to send them to.
Note: If you send an issue that was already sent by someone else, or created automatically in JIRA, Netsparker Cloud will not create a duplicate entry.
For more detailed information on managing issues in Netsparker Cloud refer to Using the Netsparker Cloud Issue Tracking System.
Tracking and Logs of Issues Sent to JIRA
When a vulnerability is sent to JIRA, a record in the issue’s history is also created, as shown in the below screenshot.
Note that in the above screenshot there are two records related to the JIRA integration. One of them was sent manually by a user, hence why the username Jira User is reported. The other log entry was generated when the issue was automatically sent to JIRA through the Notification we created before. Therefore, in this case, the user System is reported.