Jira Software is part of a family of products designed to help teams of all types manage work. Originally, Jira was designed as a bug and issue tracker. But today, Jira has evolved into a powerful work management tool for all kinds of use cases, from requirements and test case management to agile software development.
The Contrast-Jira integration allows for the creation of Jira tickets for vulnerabilities found by Contrast, so that work for remediation can be normalized and tracked with development work.
Table of Contents
Before you start
All Contrast Security integrations require an organization admin in order to set up the connection
For on-premise Jira installations:
You are using a supported version of Jira on-premises
- For EOP Teamserver installations, where the Jira server is utilizing a self-signed or Domain certificate, you must first import the certificate into the JVMs truststore that is being used by the Teamserver. See this KB for assistance. Essentially we are importing the cert into the cacerts store.
$ jre/bin/keytool -import -file <path to certificate> -alias <hostname> \-keystore <ts install>/jre/lib/security/cacerts
Set up the integration
Log into the Contrast UI. Select your name at the top right and choose “Organization settings”.
Choose “Integrations” and then select “Connect” to set up a new Jira connection.
Input credentials to connect to the Jira project.
• The Name of the integration can be anything you’d like.
• The URL is the URL that you login through when accessing Jira
• The Username is the username that the API key was created with
• To create an API key use the following link: https://id.atlassian.com/manage-profile/security/api-tokens
If you’re using the on-premises version of Jira substitute the API Key for the password associated with the Username you entered
Test the connection. To connect to your Jira instance you may need to open inbound connectivity from the Contrast Server's outbound IP addresses - details can be found in this knowledge base article.
For an unsuccessful test, check that the URL you received from Jira and the one you posted in Contrast are matching. Contact Contrast Support (email@example.com) if necessary.
Select a Jira project
Set the default priority and the default issue type.
Ensure all required “Additional JIRA fields” have a default value. Required ones are those that are disabled, such as “Reporter” above. If no default value is selected you will not be able to save the integration.
Save the integration
Meet your use case
a. Track remediation of vulnerabilities in Jira after triaging in Contrast UI
Most Jira configurations will work for this use case. Below you can see I have them being sent to a “Security” project in Jira.
Sending a vulnerability to a bugtracker means to have Contrast create a ticket for that vulnerability in the bugtracker. After triaging a vulnerability and deciding that it is a true-positive and a high priority for remediation, click the paper airplane icon in the Contrast UI to send the vulnerability.
Choose what data to send. You can assign the ticket to someone in that project if you know the appropriate application team or developer.
Include Section Definitions
• Risk is the “What’s the risk” section in the Contrast UI vulnerability overview
• Recommendation is the “How to Fix” tab of the vulnerability in the Contrast UI
• First Event is the creation event for the vulnerability.
• Last Event is sink where Contrast has tracked the vulnerability.
• HTTP Request is the full HTTP request when applicable
• References are the links found on the “How to fix” tab in the Contrast UI
b. Create tickets for vulnerabilities from an application in that application team’s Jira project
To accomplish this we need to change two fields. The “Applications” field and “Project Name” field. In the example below you can see that the vulnerabilities related to SampleApp1 will be sent to the SampleApplicationTeam’s project in Jira.
c. Create tickets for vulnerabilities across multiple application teams in the same security Jira project
Multiple applications can be selected and all vulnerabilities from those applications sent to one Jira project. In the example below SampleApp1, SampleApp2, and Webgoat are applications in Contrast that are being sent to the Security Jira project.
e. Automatically create Jira tickets for new vulnerabilities found by Contrast
Use the checkbox on the Jira integration screen to configure the auto sending of tickets. Further control the types of tickets sent by using the filtering option. In the example below I only want to send Critical and High vulnerabilities automatically.
f. Automatically close out vulnerabilities in Contrast once developers close out Jira tickets
Once you’ve added the webhook provided by the Contrast UI in your Jira you’ll be able to configure how the two-way interactions are handled. In this example, we have various mappings for the DONE status, differing by their substatus/resolution (e.g. Won’t Do, Duplicate). We will map these resolutions to various vulnerability statuses. Changing the status of the ticket in the Jira project to any of the ticket statuses in the left column will update the status of the associated vulnerability to the status in the right column.
As a Jira administrator, set up the webhook.
Follow these instructions to set up the webhook. Once completed you should have something similar to
The above webhook is defined such that a webhook event will be triggered, and be sent to Contrast (https://apptwo.contrastsecurity.com/contrast/...), when a jira is updated, but only if/when that jira belongs to the "Contrast" jira project, since the JQL Query in the Webhook definition restricts the matching jiras to be those belonging to the "Contrast" project.
Now, fill in the default fields and save the integration. We will configure in the next section.
You can create a vulnerability type in Jira called vulnerability and use that to create statuses and resolutions that map to Contrast.
Choose the cogwheel in the top right and select issues.
Select Issue Types
“Select Statuses” and “Add status” for various Contrast UI statuses.