Sync your Snyk monitored projects and open automatically JIRA tickets for new issues and existing one(s) without ticket already created.
Run this after snyk monitor
in CI or every day/hour for non CLI projects.
Aimed to be executed at regular interval or with a trigger of your choice (webhooks).
This repository is in maintenance mode, no new features are being developed. Bug & security fixes will continue to be delivered. Open source contributions are welcome for small features & fixes (no breaking changes) This tool does not fall into any of the standard support packages
assigneeId is now a string, not an int. Wrap your assigneeId in quotes to "migrate" to 6.x version and above.
You can either download the binaries from the the release page
or
Use go install github.com/snyk-tech-services/jira-tickets-for-new-vulns@latest
-
--orgID
requiredPublic Snyk organization ID can be located in the organization settings
Example:
--orgID=0e9373a6-f858-11ec-b939-0242ac120002
-
--token
requiredCreate a service account in Snyk and use the provided token.
Example:
--token=0e9373a6-f858-11ec-b939-0242ac120002
-
--jiraProjectKey
requiredJira project key the tickets will be opened against.
Example:
--jiraProjectKey=TEAM_A
Example:
./snyk-jira-sync-linux --orgID=0e9373a6-f858-11ec-b939-0242ac120002 --token=xxxxxxxx-xxxx-xxxx-xxxx-0242ac120002 --jiraProjectKey=TEAM_A
-
--orgID
requiredPublic Snyk organization ID can be located in the organization settings
Example:
--orgID=0e9373a6-f858-11ec-b939-0242ac120002
-
--token
requiredCreate a service account in Snyk and use the provided token.
Example:
--token=0e9373a6-f858-11ec-b939-0242ac120002
-
--jiraProjectKey
requiredJira project key the tickets will be opened against.
Example:
--jiraProjectKey=TEAM_A
-
--jiraProjectID
optionaljiraProjectKey
orjiraProjectID
must be set, but not both. This is an alternative way to specify a Jira project.Example:
--jiraProjectKey=1234
-
--projectID
optionalBy default all projects in a given Snyk organization will be synced, if
projectID
is set only this project will be synced. Project public ID can be located in project settingsExample:
--projectID=0e9373a6-f858-11ec-b939-0242ac120002
-
--api
optionalAlternative API host.
Example:
--api=https://my.private.instance.com/api
-
--jiraTicketType
optionalType of ticket to open. Defaults to
Bug
. Must match the issue type configured in the provided Jira project.Example:
--jiraTicketType=Defect
-
--severity
optionalSeverity threshold to open tickets for. Can be one of
critical
,high
,medium
,low
. Defaults tolow
. Example:--severity=critical
-
--maturityFilter
optionalCan be one or multiple values:
mature
,proof-of-concept
,no-known-exploit
,no-data
. Note: Not supported for Snyk CodeExample:
--maturityFilter=[mature,no-data]
-
--type
optionalSnyk issue type to open tickets for. Defaults to
all
. Possible values:all
,vuln
,license
Example:
--type=vuln
-
--assigneeId
optionalJira ID of user to assign tickets to.
Example:
--assigneeId="123abc456def789"
-
DEPRECATED
--assigneeName
optionalCurrently Snyk supports Jira API v2 where this field is now deprecated. See the Jira deprecation notice.
-
--priorityIsSeverity
optionalSet the ticket priority to be based on severity, default priorities & severities:
Low|Medium|High|Critical=>Low|Medium|High|Highest
. Can betrue
orfalse
.Example:
--priorityIsSeverity=true
-
--labels
optionalExample:
--labels=app-1234
-
--dueDate
optionalExample:
--dueDate=2022-12-01
-
--priorityScoreThreshold
optionalYour minimum Snyk priority score threshold. Can be a number between
0
and1000
.Example:
--priorityScoreThreshold=700
[0-1000] -
--dryRun
optionalEnables dry run mode, which will not open any tickets but provide information on what changes will occur. Results can be found in a json log file in the same directory.
Example:
--dryRun=true
-
--debug
optionalEnables debug mode. For more comprehensive debug information from Go set the environment variable
GODEBUG=http2debug=2
as well.Example:
--debug=true
-
--cveInTitle
optionalEnables the CVEs as suffix in the Jira ticket title.
Example:
--cveInTitle=true
Note: Not supported for Snyk Code -
--ifUpgradeAvailableOnly
optionalOnly create tickets for
vuln
issues that are upgradable.--type
must be set toall
orvuln
for this to work.Example:
--ifUpgradeAvailableOnly=true
-
--projectCriticality
optionalInclude only projects whose Snyk business criticality attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectCriticality=critical,medium
-
--projectEnvironment
optionalInclude only projects whose Snyk environment attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectEnvironment=backend,frontend
-
--projectLifecycle
optionalInclude only projects whose Snyk lifecycle attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectLifecycle=development,production
-
--configFile
optionalPath the directory where
jira.yaml
file is located (by default we will check current directory)Example:
--configFile=/directory-name
-
--ifAutoFixableOnly
optionalOnly create tickets for
vuln
issues that are fixable (no effect when usingifUpgradeAvailableOnly
).--type
must be set toall
orvuln
for this to work.Example:
--ifAutoFixableOnly=true
The tool does not support IAC project. It will open issue only for code and open source projects and ignore all other project type.
Option to get the JIRA ticket priority set based on issue severity. Defaults map to:
Issue severity | JIRA priority |
---|---|
critical | Highest |
high | High |
medium | Medium |
low | Low |
Use SNYK_JIRA_PRIORITY_FOR_XXX_VULN
env var to override the default an set your value.
Example: Critical sevs should receive the Hot Fix priority in JIRA
export SNYK_JIRA_PRIORITY_FOR_CRITICAL_VULN='Hot Fix'
git clone the repo, build.
go run main.go jira.go jira_utils.go vulns.go snyk.go snyk_utils.go
This tool does not hit JIRA directly but instead makes API requests against Snyk, which in turn talks to the configured Jira in the platform.
https://github.com/michael-go/go-jsn/jsn to make JSON parsing a breeze github.com/tidwall/sjson github.com/kentaro-m/blackfriday-confluence gopkg.in/russross/blackfriday.v2
A logFile listing all the tickets created can be found where the tool has been run.
{
"projects": {
"123": [
{
"Summary": "test/goof:package.json - Remote Code Execution (RCE)",
"Description": "\r\n \\*\\*\\*\\* Issue details: \\*\\*\\*\\*\n\r\n cvssScore: 8.10\n exploitMaturity: proof\\-of\\-concept\n severity: high\n pkgVersions: 3.0.0\\]\n\r\n*Impacted Paths:*\n\\- \"snyk\"@\"1.228.3\" =\u003e \"proxy\\-agent\"@\"3.1.0\" =\u003e \"pac\\-proxy\\-agent\"@\"3.0.0\" =\u003e \"pac\\-resolver\"@\"3.0.0\"\n\r\n[See this issue on Snyk|https://app.snyk.io/org/test/project/123]\n\n[More About this issue|https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1589857]\n\n",
"JiraIssueDetail": {
"JiraIssue": {
"Id": "10001",
"Key": "FPI-001"
},
"IssueId": "SNYK-JS-PACRESOLVER-1589857"
}
},
{
"Summary": "test/goof:package.json - Prototype Pollution",
"Description": "\r\n \\*\\*\\*\\* Issue details: \\*\\*\\*\\*\n\r\n cvssScore: 6.30\n exploitMaturity: proof\\-of\\-concept\n severity: medium\n pkgVersions: 4.2.0\\]\n\r\n*Impacted Paths:*\n\\- \"snyk\"@\"1.228.3\" =\u003e \"configstore\"@\"3.1.2\" =\u003e \"dot\\-prop\"@\"4.2.0\"\n\r\\- \"snyk\"@\"1.228.3\" =\u003e \"update\\-notifier\"@\"2.5.0\" =\u003e \"configstore\"@\"3.1.2\" =\u003e \"dot\\-prop\"@\"4.2.0\"\n\r\n[See this issue on Snyk|https://app.snyk.io/org/test/project/123]\n\n[More About this issue|https://security.snyk.io/vuln/SNYK-JS-DOTPROP-543499]\n\n",
"JiraIssueDetail": {
"JiraIssue": {
"Id": "10001",
"Key": "FPI-001"
},
"IssueId": "SNYK-JS-DOTPROP-543499"
}
},
]
}
}
Example of config file structure. If your jira project has specific required field or custom fields configured, they will need to be added to the config file. Mandatory fields:
-
Make sure to give both key and value expected by jira under the customMandatoryField key of the config file. We support 2 kind of required field: simple key/value pair or nested key/value
-
Simple key/Value:
customMandatoryFields: key: value: "This is a summary"
will result in adding this object to the ticket
{"key":{"Value":"This is a summary"}
-
Nested:
firstKey: secondKey: id: 65
will result in adding this object to the ticket
"firstKey":{"secondKey":{"id":62}}
Custom fields:
At the moment we are supporting 3 types of custom Jira fields: labels
, MultiGroupPicker
and MultiSelect
.
Make sure to respect the format in the config file:
- simpleField:
"customfield_10601": value: jiraValue-simpleField-something to add to the ticket
will be sent as"customfield_10601":"something to add to the ticket"
- labels:
"customfield_10601": value: jiraValue-label-Value1,Value2
will be sent as"customfield_10601":["Value1","Value2"]
- MultiGroupPicker:
"customfield_10601": value: jiraValue-MultiGroupPicker-Value1,Value2
will be sent as"customfield_10601":[{"name":"Value1"},{"name":"Value2"}]
- MultiGroupPicker:
"customfield_10601": value: jiraValue-MultiSelect-Value1,Value2
will be sent as"customfield_10601":[{"value":"Value1"},{"value":"Value2"}]
For more details on jira custom field please visit Jira documentation
schema: 1
snyk:
orgID: a1b2c3de-99b1-4f3f-bfdb-6ee4b4990513 # <SNYK_ORG_ID>
projectID: a1b2c3de-99b1-4f3f-bfdb-6ee4b4990514 # <SNYK_PROJECT_ID>
severity: critical # <critical|high|medium|low>
maturityFilter: mature # <mature,proof-of-concept,no-known-exploit,no-data>
type: all # <all|vuln|license>
priorityScoreThreshold: 10
api: https://myapi # <API endpoint> default to
ifUpgradeAvailableOnly: false # <true|false>
jira:
jiraTicketType: Task # <Task|Bug|....>
jiraProjectID: 12345
assigneeId: "123abc456def789"
priorityIsSeverity: true # <true|false>
labels: label1 # <IssueLabel1>,<IssueLabel2>
jiraProjectKey: testProject
priorityIsSeverity: false # <true|false> (defaults: Low|Medium|High|Critical=>Low|Medium|High|Highest)
customMandatoryFields:
key:
value: 5
customfield_10601:
value: jiraValue-MultiGroupPicker-Value1,Value2
customfield_10602:
value: jiraValue-simpleField-something to add to the ticket
Notes:
- The token is not expected present in the config file
- Command line arguments override the config file. IE:
Using the config file above, running
./snyk-jira-sync-macOs --Org=1234 --configFile=./path/to/folder --token=123
the org ID used by the tool will be1234
and nota1b2c3de-99b1-4f3f-bfdb-6ee4b4990513
- See 'Extended options' for default values
Releasing requires to indicate the correct semver version jump using commit prefix.