Security Information

This module allows third-party providers to send security information to Jira.

When security information is sent, it will be presented in the Security feature of Jira Software, and the right side of the Jira issue view.

This module also provides actions to be called by Jira.

Security information is written/deleted via REST. This API is part of the Jira Software REST documentation.

Information in the module key and name are not considered private so they should not contain sensitive or personally identifiable information.

When a user uninstalls an app, all the data that the app sent to Jira is deleted. If the app is reinstalled, this data won't be added back unless the app resends historical information to Jira.

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{
  "modules": {
    "jiraSecurityInfoProvider": {
      "homeUrl": "https://mysecurityprovider.com",
      "logoUrl": "https://mysecurityprovider.com/images/logo.svg",
      "documentationUrl": "https://mysecurityprovider.com/docs/jira-integration",
      "actions": {
        "fetchWorkspaces": {
          "templateUrl": "https://mysecurityprovider.com/workspaces"
        },
        "fetchContainers": {
          "templateUrl": "https://mysecurityprovider.com/containers"
        },
        "searchContainers": {
          "templateUrl": "https://mysecurityprovider.com/containers/search"
        },
        "onEntityAssociated": {
          "templateUrl": "https://mysecurityprovider.com/containers/onentityassociated"
        },
        "onEntityDisassociated": {
          "templateUrl": "https://mysecurityprovider.com/containers/onentitydisassociated"
        }
      },
      "name": {
        "value": "My Security Provider"
      },
      "key": "security-integration"
    }
  }
}

Properties

homeUrl
Type
Format
uri
Required
Yes
Description

URL to the provider's homepage.

key
Type
Max length
100
Required
Yes
Pattern
^[a-zA-Z0-9-]+$
Description

A key to identify this module.

This key must be unique relative to the add on, with the exception of Confluence macros: Their keys need to be globally unique.

Keys must only contain alphanumeric characters and dashes.

The key is used to generate the url to your add-on's module. The url is generated as a combination of your add-on key and module key. For example, an add-on which looks like:

1
2
3
4
5
6
7
8
9
{
    "key": "my-addon",
    "modules": {
        "configurePage": {
            "key": "configure-me",
        }
    }
}

Will have a configuration page module with a URL of /plugins/servlet/ac/my-addon/configure-me.

name
Type
Required
Yes
Description

A human readable name.

Represents a string that can be resolved via a localization properties file. You can use the same i18n Property key and value in multiple places if you like, but identical keys must have identical values.

Example

1
2
3
4
{
  "value": "My text"
}

Properties

value
Type
Max length
1500
Required
Yes
Description

The human-readable default value. This will be used if no translation exists. Only the following HTML tags are supported: b, i, strong, em, and code.

i18n
Type
Max length
300
Description

The localization key for the human-readable value. Translations for the keys are defined at the top level of the add-on descriptor.

actions
Type
Description

Required actions to hydrate security workspace and container data.

Security Information actions that can be performed by Jira users.

Each action is optional (unless indicated otherwise). The absence of an action indicates that the action is not supported by the provider.

Properties

fetchContainers
Type
Required
Yes
Description

Action for fetching security containers by IDs.

Example request

The templateUrl property of this action will receive a POST request when this action is invoked. The container IDs to be fetched will be included in the body.

1
2
3
4
5

 {
   "ids": ["XXXX", "YYYY"]
 }

Example response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

 {
   "containers": [
     {
       // Identifier of the security container which will be used to hydrate container details. This should be in this regex format: [a-zA-Z0-9\\-_.~@:{}=]+(/[a-zA-Z0-9\\-_.~@:{}=]+)*.
       id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b/target/111-222-333",
       // Human readable name of the container
       name: "my-container-name",
       // Url allowing Jira to link directly to the provider's container
       url: "https://my.security.provider.com/f730ce9c-3442-4f8a-93a4-a44f3b35c46b/container/f730ce9c-3442-4f8a-93a4-a44f3b35c46b",
       // Url providing the avatar for the container.
       avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png",
       // The date and time this container was last scanned/updated
       lastUpdatedDate: "2022-01-19T23:27:25+00:00"
     }
   ]
 }

fetchWorkspaces
Type
Required
Yes
Description

Action for fetching security workspaces by IDs.

Example request

The templateUrl property of this action will receive a POST request when this action is invoked. The workspace IDs to be fetched will be included in the body.

1
2
3
4
5

 {
   "ids": ["XXXX", "YYYY"]
 }

Example response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

 {
   "workspaces": [
     {
       // Identifier of the security workspace which will be used to hydrate workspace details
       id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b"
       // Human readable name of the workspace
       name: "economy-security-scanning"
       // Url allowing Jira to link directly to the provider's workspace
       url: "https://my.security.provider.com/org/f730ce9c-3442-4f8a-93a4-a44f3b35c46b"
       // Url providing the avatar for the workspace.
       avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png"
     }
   ]
 }

searchContainers
Type
Required
Yes
Description

Action for showing any partial or full matches using a search on the security container name for a given workspace.

Example request

The templateUrl property of this action will receive a GET request with workspaceId and searchQuery query params when this action is invoked.

1
2
3

 "https://my.security.provider.com/containers/search?workspaceId=12345&searchQuery=my-container-name"

Example response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

 {
   "containers": [
     {
       // Identifier of the security container which will be used to hydrate container details. This should be in this regex format: [a-zA-Z0-9\\-_.~@:{}=]+(/[a-zA-Z0-9\\-_.~@:{}=]+)*.
       id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b/target/111-222-333",
       // Human readable name of the container
       name: "my-container-name",
       // Url allowing Jira to link directly to the provider's container
       url: "https://my.security.provider.com/f730ce9c-3442-4f8a-93a4-a44f3b35c46b/container/f730ce9c-3442-4f8a-93a4-a44f3b35c46b",
       // Url providing the avatar for the container.
       avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png",
       // The date and time this container was last scanned/updated
       lastUpdatedDate: "2022-01-19T23:27:25+00:00"
     }
   ]

onEntityAssociated
Type
Description

Action to notify the security provider when vulnerability has been associated with jira issue

Example request

The templateUrl property of this action will receive a PUT request when this action is invoked. The entity.id is the providers external ID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

 {
   "entity": {
     // This is vulnerability Atlassian Resource Identifier (ARI). This should be in format: ari:cloud:jira:{siteId}:vulnerability/activation/{activationId}/{vulnerabilityId}
     "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:vulnerability/activation/111-222-333/111111",
     // This is vulnerability identifier provided by the provider
     "id": "1234"
   },
   "associatedWith": {
     // This is jira issue Atlassian Type Identifier (ATI)
     "ati": "ati:cloud:jira:issue",
     // This is jira issue Atlassian Resource Identifier (ARI) that get associated with the vulnerability. This should be in format: ari:cloud:jira:{siteId}:issue/{issueId}
     "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:issue/1234"
     // This is the siteId
     "cloudId": "f730ce9c-3442-4f8a-93a4-a44f3b35c46b",
     // This is jira issue identifier
     "id": "1234"
   }
 }

onEntityDisassociated
Type
Description

Action to notify the security provider when vulnerability has its association removed from jira issue

Example request

The templateUrl property of this action will receive a PUT request when this action is invoked. The entity.id is the providers external ID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

 {
   "entity": {
     // This is vulnerability Atlassian Resource Identifier (ARI). This should be in format: ari:cloud:jira:{siteId}:vulnerability/activation/{activationId}/{vulnerabilityId}
     "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:vulnerability/activation/111-222-333/111111",
     // This is vulnerability identifier provided by the provider
     "id": "1234"
   },
   "disassociatedFrom": {
     // This is jira issue Atlassian Type Identifier (ATI)
     "ati": "ati:cloud:jira:issue",
     // This is jira issue Atlassian Resource Identifier (ARI) get disassociated from the vulnerability. This should be in format: ari:cloud:jira:{siteId}:issue/{issueId}
     "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:issue/1234"
     // This is the siteId
     "cloudId": "f730ce9c-3442-4f8a-93a4-a44f3b35c46b",
     // This is jira issue identifier
     "id": "1234"
   }
 }

documentationUrl
Type
Format
uri
Description

Optional URL to documentation about the provider's Jira integration.

logoUrl
Type
Format
uri
Description

Optional URL to the provider's logo, which will be displayed in the UI.