Objective
This article focuses on troubleshooting 2-way Jira integration. It assumes that you already have 1-way Jira integration working without any issues.
Process
1. Double check that 1-way Jira integration is working without any issues. You can do this by going to:
Contrast UI -> Vulnerabilities
Pick a vulnerability and try to "Send to BugTracker" that vulnerability. If this works (it creates a jira for the vulnerability for you), then go to the next step.
2. Confirm that the triggering event in Jira actually does result in a webhook notification message being sent from Jira. If this message doesn't get sent, then there is nothing for Contrast to do when the triggering event occurs in Jira.
2a. Go to https://requestbin.com to get a temporary test endpoint.
Simply click on the link to "Create a public bin". This will take you to a page that looks like:
Your temporary test endpoint is given at the top of the page. (Keep this page open until you've completed your testing with this test endpoint.)
2b. In Jira, create/configure a simple test webhook that uses the test endpoint from the step above. In your test webhook configuration:
For the "URL", give the test endpoint from the last step. Then, under "Issue related events", choose "All issues" and check the box for Issue -> updated. This tells Jira to send a callback/notification [to the webhook endpoint] when any Jira is updated.
2c. In Contrast's jira configuration, make sure that (1) you have "Enable two-way integration" checked and (2) you have set up issue Status mappings.
For example, in the config shown below, we've mapped the "TO DO" Jira Status to the "Confirmed" Contrast Vulnerability Status, and the "DONE" Jira status is mapped to the Contrast Vulnerability "Remediated" Status.
2d. Trigger the Jira callback/notification by going to Jira, selecting a Jira that was created from the Contrast 1-way Jira integration, and changing its status to DONE.
2e. Confirm that the notification was sent from Jira by checking your requestbin page.
You can see that the callback was sent to the requestbin endpoint when you see new activity (new POST requests) in the left hand pane; you can click on any request in that pane to see the details of the request:
3. Once you've confirmed that Jira does indeed send the callback as expected when the Jira triggering event occurs, you can then test with the Contrast webhook endpoint (which is given when you check the box to "Enable two-way integration").
If this test fails (does not update the Contrast Vulnerability status as expected/configured):
- If you are a Contrast SaaS customer, you will need to open a Support ticket using the link below and ask the Contrast Support Team to check the SaaS logs to see if Contrast received the Jira notification message(s) or not.
- If you are using EOP (Enterprise On Premise), please check your on-prem TeamServer logs to see what JIRA messages it received and if there are any errors. If you need help interpreting the TeamServer logs, please open a Support Ticket with the Contrast Technical Support Team.