Integrating Invicti Enterprise with Jira
Integrating Invicti Enterprise with Jira helps to streamline your bug-fixing process and vulnerability management. Any vulnerability that needs fixing can be turned into a Jira ticket and automatically assigned to developers.
Other advantages of integrating Invicti Enterprise with Jira include the ability to:
- Monitor the vulnerability-fixing process
- Verify fixes (if there is 2-way integration)
- Reopen tickets, if necessary
- Close tickets
This article explains how to set up an integration between Invicti Enterprise On-Demand and Jira, how to export issues from Invicti Enterprise to Jira, and how to register a webhook for 2-way integration.
Warning: If you are using the self-hosted Jira, first make sure Invicti Enterprise On-Demand can communicate with the self-hosted Jira. |
Integrating Invicti Enterprise with Jira
Prerequisite
- Administrator privileges OR the Add/Edit Integration permission in Invicti Enterprise.
There are two steps to this integration:
- Setting up the connection with Jira
- Configuring project details for integration
Step 1: How to set up the connection with Jira
- Log in to Invicti Enterprise.
- From the main menu, go to Integrations > New Integration > Jira.
- In the Mandatory section, complete the connection details:
- Name: This is the name of the integration that will be shown elsewhere in Invicti Enterprise.
- URL: This is the Jira URL. The URL must be specified as the domain name.
- Username or Email: This is the username if self-hosted. If hosted by Atlassian, use the email address.
- Access Token or Password: This is the access token (API) or the password of the user. If hosted by Atlassian, enter the API token. If self-hosted, enter your password. The API token can be retrieved from: https://id.atlassian.com/manage/api-tokens.
- Select Load Jira Details.
If successful, Invicti displays your project details to continue configuring your integration. Otherwise, Invicti displays an error message.
Step 2: How to configure your Jira project for integration with Invicti
- From the Project Key drop-down, choose your project. Alternatively, start typing your project name or project key to search, then choose your project from the search results.
- From the Issue Type drop-down, choose the issue type. (For information about issue types, refer to the Jira support documentation: What are issue types?)
- Enter the Title Format. This is the string format that is used to create the issue title. You can leave it as it is or type your title format including {0}.
- Choose a template type for the issue description: Standard (fewer issue fields) or Detailed (more issue fields such as Request and Response).
- Click Save to save your integration.
Once saved, the integration appears on the Manage Integrations page. You can test your integration by creating a sample issue.
Information: You can further configure your integration, for example, by selecting the assigned person or determining the due date. For further information, refer to the Configuring custom and complex fields section of this article. |
Creating a sample issue to test integration
- From the main menu, select Integrations > Manage Integrations.
- From the Manage Integrations page, next to the relevant Jira integration, select Edit.
- Click Create Sample Issue.
Invicti Enterprise exports a sample issue to Jira to test the integration. If successful, the following ticket is opened in Jira:
How to edit the Jira integration
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Jira integration, select Edit.
- Make the necessary changes, and click Save.
How to delete the Jira integration
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Jira integration, select Delete.
- From the Delete Integration pop-up, click Delete.
How to clone the Jira integration
Tip: You can clone your integration to create as many Jira integrations as you need. However, due to security precautions, access tokens or passwords cannot be cloned. |
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Jira integration, select Clone.
- Make the necessary changes, then click Save.
Exporting issues to Jira
This section outlines the various ways you can send issues from Invicti Enterprise to Jira.
Notifications after scanning
Once the integration has been configured, you can configure Invicti Enterprise to automatically send issues to Jira after scanning has been completed. For further information, refer to Managing Notifications.
Issues page
- From the main menu, select Issues > All Issues.
- On the Issues page, select one or more issues you want to send.
- Select Send To > Jira.
A pop-up is displayed, with a link to the issue you have sent to Jira. If there is an error, this information will be displayed instead.
Recent Scans page
- From the main menu, select Scans > Recent Scans.
- Next to the relevant scan, select Report.
- Scroll down to the Technical Report section.
- From the list of detected issues, select an issue and display its details.
- Select Send To > Jira.
You can view the issues you have sent to Jira on the Open issues page.
If you have already previously submitted this vulnerability to Jira, it will already be accessible. You cannot submit the same issue twice.
Registering a webhook for 2-way integration
Warning: We updated the webhook configuration for the 2-way integration on 23 May 2023. To ensure the integration continues to work, enable the Exclude Body checkbox on the Jira webhook settings. This update is essential for maintaining the full functionality of the integration.
|
Invicti Enterprise has out-of-the-box support for resolving and reactivating Jira issues according to the scan results, in addition to automatic issue creation. Invicti Enterprise uses user-provided Resolved and Reopened statuses in Jira for this purpose.
To enhance issue synchronization support, Invicti Enterprise also offers webhook support. This enables you to detect any status changes in Jira issues opened by Invicti Enterprise. This can help you:
- Streamline issue resolution
- Cut down on communication overhead
- Allow developers to work on vulnerabilities without leaving the Jira environment
Invicti Enterprise generates a Webhook URL after you save your integration settings. When you register this link as a webhook in your Jira project and enter your preferred Resolved and Reopen statuses, you complete Invicti Enterprise issue synchronization for your integration.
When you change your Jira issue’s status to your preferred Resolved status, the issue is automatically marked as Fixed (Unconfirmed) in Invicti Enterprise and a retest scan is started. And, when you change your Jira issue’s status to your preferred Reopened status, your corresponding Invicti Enterprise issue is automatically marked as Revived.
For further information, refer to Fix vulnerabilities faster with Invicti’s 2-way Jira integration.
The Webhook Settings field
This table lists and explains the Webhook fields on the Update Jira Integration page in Invicti Enterprise.
Button/Section/Field | Description |
Webhook URL | This is the URL you need to enter into Jira to create the 2-way integration. |
Reopen Status | This is the status name of the reopened issues or tickets. This can be: To Do or In Progress. |
Resolved Status | This is the workflow step name of the resolved issues or tickets. By default, it is Done. |
Information: In Jira, the Reopen status can only be mapped to two categories: To Do and In Progress. The Resolved status, however, can be mapped to any workflow step from your Jira workflow configuration. To avoid issues, ensure that the workflow steps for the Reopen and Resolved statuses are not the same. Other categories added afterwards are referred to as aliases and these values cannot be used for integration with Invicti Enterprise. Pay attention to the category definitions when defining your workflow. |
IMPORTANT INFORMATION FOR AVOIDING TESTING LOOPS If you do not want accepted risk or false positive issues to be reopened and retested, make sure the Jira case is not closed using any of the resolved workflow steps used for the Resolves status. Alternatively, you can create a dedicated workflow (name suggestion would be ‘false positive’ or ‘accepted risk’) step in Jira for false positives that does not overlap with the workflow steps used for the Resolved status in Invicti. Using the same workflow step for both false positives and resolved issues can lead to a testing loop. The vulnerability would be manually marked as a false positive – Fixed (Unconfirmed) – then retested in the next scan. The vulnerability reappears, gets marked as a false positive again, and is closed manually. The Jira case is reopened, repeating the cycle. |
How to register an Invicti Enterprise Jira Integration Webhook
- From the main menu, select Integrations > Manage Integrations.
- Next to the relevant Jira integration, select Edit.
- From the Webhook Settings section, select Copy to clipboard to copy the Webhook URL.
- In a separate window, go to Jira.
- From the main menu, go to Settings > System > WebHooks.
- On the WebHooks page, select Create a WebHook.
- In the URL field, paste in the Webhook URL (from step 3).
- In the Issue-related events section, enter the Jira project name that the webhook configuration is for. If you do not define this field, then change requests for all your Jira projects will come to Invicti Enterprise.
- In the Issue-related events section, select the updated checkbox in the Issue column.
- On the Jira WebHooks settings page, select the Exclude body checkbox. If you do not enable this checkbox, the WebHooks configuration will not work.
- Select Create.
Warning: After creating a webhook URL and entering it into Jira, if you modify your project details and save it, this changes the webhook URL. Therefore, you need to copy the new webhook URL and paste the new URL into Jira. If you do not do this, your 2-way integration will not work. |
Configuring custom and complex fields
You can customize your Jira integration thanks to custom and complex fields. For example, you can choose the person who will be responsible for issues identified by Invicti Enterprise. Or, you can choose the priority level for the issue. You can also delete custom fields or add new fields based on your needs.
Jira field mappings
This table lists and explains the default Jira field mappings on the Jira Integration page in Invicti Enterprise.
Information: The following fields appear by default in the drop-down. There may be additional fields based on your project and issue type. |
Button/Section/Field | Description |
Assigned to | This is the user to whom the issue is assigned by default. |
Reporter | This is the user who reports issues. |
Labels | These are the issue labels. |
Components | These are the components that you need to create on Jira. You can learn more about the components via the Jira support site. Typing component names provides the list of component(s) that you can select. You can select more than one component. |
Security Level | This is the issue security level. You need to define this level in Jira, so you can control which user or group of users can view an issue. If there is no level defined, "No research found" is displayed. For further information, refer to Configuring issue-level security. |
Due Days | This is the number of days from the date the issue was created to the date it is due. |
Priority | This is the priority of the issue. This is mapped between Invicti Enterprise and Jira. You can map an Invicti Enterprise priority level to Jira priority. For example, you can configure a high priority in Invicti to the highest priority in Jira. If you don't map any priority level, Invicti Enterprise sends all issues as "medium". If you mapped one level, for example, the highest, the rest of the issues will be sent as the medium. |
Epic Link | This is an epic key. You need to copy the epic key from Jira and paste it into this field. |
Epic Name | This is the epic name. You can write any name you want. Invicti Enterprise creates this epic name in Jira. When you send any issue, including sample issue creation, Invicti Enterprise creates the epic name in Jira. The epic name option appears only if you select the issue type as Epic. Please note that you cannot select an epic name and epic link for the same integration. |
How to add a new custom field
- From the Jira Field Mappings section, select + New Jira Field.
- From the Field Name drop-down, select a value. (For this example, we selected Priority.)
- From the Invicti Security drop-down, select Critical.
- From the Jira Value drop-down, select Highest.
- Click Save.
How to configure complex fields
In addition to custom fields, your project can include complex fields, such as date picker. Mapping complex fields need to be entered using double quotes or square brackets.
- From the Jira Field Mappings section, select + New Jira Field.
- From the Field Name drop-down, select a value. (For example, Date Picker.)
- Enter the Jira Value. (For example, "2022-07-28".)
- From the Jira Field Mappings section, select + New Jira Field.
- From the Field Name drop-down, select a value. (For example, Release Version.)
- Enter the Jira Value. (For example, ["22-9", "22-9-1"].)
- From the Jira Field Mappings section, select + New Jira Field.
- From the Field Name drop-down, select a value. (For example, Caution.)
- Enter the Jira Value. (For example, This is a sample issue.).
- Select Create Sample Issue.
If successful, Invicti displays a success message and a link to the ticket.
You can view the issue you have sent to Jira in the following way: