Synchronizing your results with JIRAThe JIRA Sync Add On allows you to synchronize a JIRA project with Tinfoil Security's scan reports. We will seamlessly create, update, and resolve issues in your JIRA project as scans run, allowing you to easily share results with your team and keep your present bug tracking workflow.
JIRA versions 6 and below are currently supported. If you would like to use this add on with another version, please contact us!
Credentials and Picking a User
To get started, you need to pick a user for JIRA Sync to authenticate as. The JIRA Sync Add On will have full read/write access as this user; we highly recommend creating a new user and adding access only to the project you wish to synchronize.
At a minimum, this user will need to be able to read, create, modify, and resolve issues in the project you wish to synchronize. By default, the user can be listed under project roles "Users" and "Developers" to have the necessary privileges, although your JIRA install may differ slightly.
You will need to input the username and password for this user on the Tinfoil Add On configuration page. Currently OAuth login is not supported -- it does not provide any access boundaries and gives full administration control of the JIRA install.
The JIRA Project
The user you picked previously will need to have access to a JIRA project to synchronize. This project may be general-purpose and does not need to be tinfoil-specific; non-tinfoil-managed issues will not be modified by the JIRA Sync Add On. For example, for a JIRA project accessed on "https://jira.example.com/projects/WEBSITE" you will need to input the Project URL as "https://jira.example.com" and the Project Name as "WEBSITE".
As Tinfoil Security scans finish, issues found will be synchronized into the JIRA project. These issues will contain information on what was found and how to fix the issue. More information can be found on the report page. When a rescan confirms an issue is fixed, the corresponding JIRA issue will be marked as resolved. If the issue reappears in a future scan, it will be reopened.
At the bottom there will be a TINFOILSECURITY line. Please do not remove or modify this line as it contains the necessary information for synchronization between the Tinfoil Security and JIRA systems.
If your project has been customized to have different settings than the JIRA defaults you may wish to customize some of the JIRA Sync Add On advanced options to ensure proper synchronization.
- Issue Type: This must match a valid issue type in the JIRA project. By default, it is set to "Bug".
- Vulnerability Severities: Tinfoil Security classifies vulnerabilities into 4 categories:
These values must match valid issue severities in the JIRA project. By default, these values are Critical, Major, Minor, and Trivial. A JIRA project severity may be reused for different Tinfoil severities.
- Open Issue Statuses: These values must contain valid JIRA statuses in the JIRA project for issues that should be considered Open or Active. The JIRA user must be able to open an issue at one of these statuses. A transition in the JIRA project must exist between one of these statuses and a status in the Closed Issue Statuses.
- Closed Issue Statuses: These values must contain valid JIRA statues in the JIRA Project for issues that should be considered Resolved or Closed. A transition in the JIRA project must exist between one of these statuses and a status in the Open Issue Statuses.