Sync your Snyk monitored projects and open automatically JIRA tickets for new issues and existing one(s) without ticket already created.
Run this after snyk monitor in CI or every day/hour for non CLI projects.
Aimed to be executed at regular interval or with a trigger of your choice (webhooks).
This repository is in maintenance mode, no new features are being developed. Bug & security fixes will continue to be delivered. Open source contributions are welcome for small features & fixes (no breaking changes)
You can either download the binaries from the the release page
or
Use go install github.com/snyk-tech-services/jira-tickets-for-new-vulns@latest
-
--orgIDrequiredPublic Snyk organization ID can be located in the organization settings
Example:
--orgID=0e9373a6-f858-11ec-b939-0242ac120002 -
--tokenrequiredCreate a service account in Snyk and use the provided token.
Example:
--token=0e9373a6-f858-11ec-b939-0242ac120002 -
--jiraProjectKeyrequiredJira project key the tickets will be opened against.
Example:
--jiraProjectKey=TEAM_A
Example:
./snyk-jira-sync-linux --orgID=0e9373a6-f858-11ec-b939-0242ac120002 --token=xxxxxxxx-xxxx-xxxx-xxxx-0242ac120002 --jiraProjectKey=TEAM_A
-
--orgIDrequiredPublic Snyk organization ID can be located in the organization settings
Example:
--orgID=0e9373a6-f858-11ec-b939-0242ac120002 -
--tokenrequiredCreate a service account in Snyk and use the provided token.
Example:
--token=0e9373a6-f858-11ec-b939-0242ac120002 -
--jiraProjectKeyrequiredJira project key the tickets will be opened against.
Example:
--jiraProjectKey=TEAM_A -
--jiraProjectIDoptionaljiraProjectKeyorjiraProjectIDmust be set, but not both. This is an alternative way to specify a Jira project.Example:
--jiraProjectKey=1234 -
--projectIDoptionalBy default all projects in a given Snyk organization will be synced, if
projectIDis set only this project will be synced. Project public ID can be located in project settingsExample:
--projectID=0e9373a6-f858-11ec-b939-0242ac120002 -
--apioptionalAlternative API host.
Example:
--api=https://my.private.instance.com/api -
--jiraTicketTypeoptionalType of ticket to open. Defaults to
Bug. Must match the issue type configured in the provided Jira project.Example:
--jiraTicketType=Defect -
--severityoptionalSeverity threshold to open tickets for. Can be one of
critical,high,medium,low. Defaults tolow. Example:--severity=critical -
--maturityFilteroptionalCan be one or multiple values:
mature,proof-of-concept,no-known-exploit,no-data. Note: Not supported for Snyk CodeExample:
--maturityFilter=[mature,no-data] -
--typeoptionalSnyk issue type to open tickets for. Defaults to
all. Possible values:all,vuln,licenseExample:
--type=vuln -
--assigneeIdoptionalJira ID of user to assign tickets to.
Example:
--assigneeId=123abc456def789 -
DEPRECATED
--assigneeNameoptionalCurrently Snyk supports Jira API v2 where this field is now deprecated. See the Jira deprecation notice.
-
--priorityIsSeverityoptionalSet the ticket priority to be based on severity, default priorities & severities:
Low|Medium|High|Critical=>Low|Medium|High|Highest. Can betrueorfalse.Example:
--priorityIsSeverity=true -
--labelsoptionalExample:
--labels=app-1234 -
--dueDateoptionalExample:
--dueDate=2022-12-01 -
--priorityScoreThresholdoptionalYour minimum Snyk priority score threshold. Can be a number between
0and1000.Example:
--priorityScoreThreshold=700[0-1000] -
--dryRunoptionalEnables dry run mode, which will not open any tickets but provide information on what changes will occur. Results can be found in a json log file in the same directory.
Example:
--dryRun=true -
--debugoptionalEnables debug mode. For more comprehensive debug information from Go set the environment variable
GODEBUG=http2debug=2as well.Example:
--debug=true -
--cveInTitleoptionalEnables the CVEs as suffix in the Jira ticket title.
Example:
--cveInTitle=trueNote: Not supported for Snyk Code -
--ifUpgradeAvailableOnlyoptionalOnly create tickets for
vulnissues that are upgradable.--typemust be set toallorvulnfor this to work.Example:
--ifUpgradeAvailableOnly=true -
--projectCriticalityoptionalInclude only projects whose Snyk business criticality attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectCriticality=critical,medium -
--projectEnvironmentoptionalInclude only projects whose Snyk environment attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectEnvironment=backend,frontend -
--projectLifecycleoptionalInclude only projects whose Snyk lifecycle attribute contains one or more of the specified values. This should be all lower case, comma separated with no spaces.
Example:
--projectLifecycle=development,production -
--configFileoptionalPath the directory where
jira.yamlfile is located (by default we will check current directory)Example:
--configFile=/directory-name -
--ifAutoFixableOnlyoptionalOnly create tickets for
vulnissues that are fixable (no effect when usingifUpgradeAvailableOnly).--typemust be set toallorvulnfor this to work.Example:
--ifAutoFixableOnly=true
The tool does not support IAC project. It will open issue only for code and open source projects and ignore all other project type.
Option to get the JIRA ticket priority set based on issue severity. Defaults map to:
| Issue severity | JIRA priority |
|---|---|
| critical | Highest |
| high | High |
| medium | Medium |
| low | Low |
Use SNYK_JIRA_PRIORITY_FOR_XXX_VULN env var to override the default an set your value.
Example: Critical sevs should receive the Hot Fix priority in JIRA
export SNYK_JIRA_PRIORITY_FOR_CRITICAL_VULN='Hot Fix'
git clone the repo, build.
go run main.go jira.go jira_utils.go vulns.go snyk.go snyk_utils.go
https://github.com/michael-go/go-jsn/jsn to make JSON parsing a breeze github.com/tidwall/sjson github.com/kentaro-m/blackfriday-confluence gopkg.in/russross/blackfriday.v2
A logFile listing all the tickets created can be found where the tool has been run.
{
"projects": {
"123": [
{
"Summary": "test/goof:package.json - Remote Code Execution (RCE)",
"Description": "\r\n \\*\\*\\*\\* Issue details: \\*\\*\\*\\*\n\r\n cvssScore: 8.10\n exploitMaturity: proof\\-of\\-concept\n severity: high\n pkgVersions: 3.0.0\\]\n\r\n*Impacted Paths:*\n\\- \"snyk\"@\"1.228.3\" =\u003e \"proxy\\-agent\"@\"3.1.0\" =\u003e \"pac\\-proxy\\-agent\"@\"3.0.0\" =\u003e \"pac\\-resolver\"@\"3.0.0\"\n\r\n[See this issue on Snyk|https://app.snyk.io/org/test/project/123]\n\n[More About this issue|https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1589857]\n\n",
"JiraIssueDetail": {
"JiraIssue": {
"Id": "10001",
"Key": "FPI-001"
},
"IssueId": "SNYK-JS-PACRESOLVER-1589857"
}
},
{
"Summary": "test/goof:package.json - Prototype Pollution",
"Description": "\r\n \\*\\*\\*\\* Issue details: \\*\\*\\*\\*\n\r\n cvssScore: 6.30\n exploitMaturity: proof\\-of\\-concept\n severity: medium\n pkgVersions: 4.2.0\\]\n\r\n*Impacted Paths:*\n\\- \"snyk\"@\"1.228.3\" =\u003e \"configstore\"@\"3.1.2\" =\u003e \"dot\\-prop\"@\"4.2.0\"\n\r\\- \"snyk\"@\"1.228.3\" =\u003e \"update\\-notifier\"@\"2.5.0\" =\u003e \"configstore\"@\"3.1.2\" =\u003e \"dot\\-prop\"@\"4.2.0\"\n\r\n[See this issue on Snyk|https://app.snyk.io/org/test/project/123]\n\n[More About this issue|https://security.snyk.io/vuln/SNYK-JS-DOTPROP-543499]\n\n",
"JiraIssueDetail": {
"JiraIssue": {
"Id": "10001",
"Key": "FPI-001"
},
"IssueId": "SNYK-JS-DOTPROP-543499"
}
},
]
}
}
Example of config file structure. If your jira project has specific required field or custom fields configured, they will need to be added to the config file. Mandatory fields:
-
Make sure to give both key and value expected by jira under the customMandatoryField key of the config file. We support 2 kind of required field: simple key/value pair or nested key/value
-
Simple key/Value:
customMandatoryFields: key: value: "This is a summary"will result in adding this object to the ticket
{"key":{"Value":"This is a summary"} -
Nested:
firstKey: secondKey: id: 65will result in adding this object to the ticket
"firstKey":{"secondKey":{"id":62}}
Custom fields:
At the moment we are supporting 3 types of custom Jira fields: labels, MultiGroupPicker and MultiSelect.
Make sure to respect the format in the config file:
- simpleField:
"customfield_10601": value: jiraValue-simpleField-something to add to the ticketwill be sent as"customfield_10601":"something to add to the ticket" - labels:
"customfield_10601": value: jiraValue-label-Value1,Value2will be sent as"customfield_10601":["Value1","Value2"] - MultiGroupPicker:
"customfield_10601": value: jiraValue-MultiGroupPicker-Value1,Value2will be sent as"customfield_10601":[{"name":"Value1"},{"name":"Value2"}] - MultiGroupPicker:
"customfield_10601": value: jiraValue-MultiSelect-Value1,Value2will be sent as"customfield_10601":[{"value":"Value1"},{"value":"Value2"}]
For more details on jira custom field please visit Jira documentation
schema: 1
snyk:
orgID: a1b2c3de-99b1-4f3f-bfdb-6ee4b4990513 # <SNYK_ORG_ID>
projectID: a1b2c3de-99b1-4f3f-bfdb-6ee4b4990514 # <SNYK_PROJECT_ID>
severity: critical # <critical|high|medium|low>
maturityFilter: mature # <mature,proof-of-concept,no-known-exploit,no-data>
type: all # <all|vuln|license>
priorityScoreThreshold: 10
api: https://myapi # <API endpoint> default to
ifUpgradeAvailableOnly: false # <true|false>
jira:
jiraTicketType: Task # <Task|Bug|....>
jiraProjectID: 12345
assigneeId: 123abc456def789
priorityIsSeverity: true # <true|false>
labels: label1 # <IssueLabel1>,<IssueLabel2>
jiraProjectKey: testProject
priorityIsSeverity: false # <true|false> (defaults: Low|Medium|High|Critical=>Low|Medium|High|Highest)
customMandatoryFields:
key:
value: 5
customfield_10601:
value: jiraValue-MultiGroupPicker-Value1,Value2
customfield_10602:
value: jiraValue-simpleField-something to add to the ticket
Notes:
- The token is not expected present in the config file
- Command line arguments override the config file. IE:
Using the config file above, running
./snyk-jira-sync-macOs --Org=1234 --configFile=./path/to/folder --token=123the org ID used by the tool will be1234and nota1b2c3de-99b1-4f3f-bfdb-6ee4b4990513 - See 'Extended options' for default values