Jira Cloud

Jira Cloud is built for every member of your software team to plan, track, and manage their work. Using the Atlassian platform, you can dynamically show information about issues, build new workflows and features, or integrate Jira with an existing service.

How to Integrate with Edgescan:

The edgescan plugin for Jira Cloud provides a means to link edgescan assets to Jira projects. It can be configured to retrieve vulnerability data from the edgescan API, open a Jira issue for each new vulnerability, and automatically transition issues when the linked vulnerability is closed.

This documentation assumes familiarity with the concepts and configuration used by both edgescan and Jira.

Installing the plugin

The edgescan plugin installation URL is: edgescan Jira cloud plugin | Atlassian Marketplace

  • The plugin can be installed by clicking Get it now. Select the site to install the app. Click Install app

  • When brought to another page click Get it now again.

Authorising the Plugin

The host Jira instance must be authorised to access edgescan using an API token (See the edgescan user documentation for details on how to generate an API token).

  • Once installed a pop-up will appear in the bottom left corner of the page. Select Configure. Alternatively, go to Apps -> Manage your apps and you can configure the app there.

  • Enter the API token into the resulting field and click Save, and a message will be displayed indicating whether authorisation was successful.

Linking Projects

To configure a link between a Jira project and one or more edgescan assets:

  • Navigate to the project link configuration page at: Project Settings -> Apps -> Link to edgescan and select Edit near the bottom of the page.

The following configuration options are available:

  • Linked Assets – The edgescan assets you wish to link to this project. You must select at least one.

  • Risk Mapping – Each edgescan risk rating may be mapped to a Jira priority. Issues created from a vulnerability with a particular risk rating will have the mapped priority. If a risk rating is set to Ignore, no issues will be created for vulnerabilities of that risk.

  • Create Issue with Type – Issues created by the app will have this type.

  • Add to Epic (Optional) – Issues will be added to the specified epic on creation.

  • Add to Task – Issues created with type Subtask will be added to the specified task on creation. This option only appears if issues are created with type Subtask.

  • Assign to (Optional) – Issues will be assigned to the specified user on creation.

  • Status on Create – Issues will be transitioned to this status on creation.

  • Status on Close – Issues will be transitioned to this status when the linked vulnerability is closed. For the plugin to operate correctly ensure that there is always a transition to this status available.

Syncing Projects

Syncing is the process of opening/transitioning issues based on the latest vulnerability data from edgescan. When a sync is performed, the app retrieves vulnerability data from edgescan. An issue will be opened for each new vulnerability, and if a vulnerability has been closed the linked issue will be transitioned to the configured Status on close.

Syncing can be performed automatically or manually:

  • Automatic Sync is disabled by default, and can be enabled by clicking the Enable Auto-Sync button on the project link configuration page. When enabled a sync will be performed automatically every 5 minutes.

  • Manual Sync is only available if Auto-Sync is disabled. You can trigger a sync by clicking the Sync Now button on the project link configuration page.

Created Issues

  • Issues created by the plugin will have the type, priority, and status configured in the project link.

  • Issues will be added to an epic and/or assigned to a user if configured to do so.

  • The title is in the following format: <vulnerability_name> @ <location>

  • The description will list the details of the vulnerability, and provide a link to the vulnerability in the edgescan portal.

Important Points about Syncing

The first sync performed on a project may take a long time (depending on the number of issues it has to create). Similarly if the project link configuration is edited, the next sync performed will be more thorough than the usual sync in order to ensure consistency between Jira and edgescan. Therefore, please allow 15 minutes for the first sync, and for subsequent configuration changes to take effect.

The effect of changing each configuration option is as follows:

    • If an asset associated with a link is deselected, any issues linked to vulnerabilities on that asset will be deleted.

    • If the priority mapping for a risk is changed to Ignore, any issues linked to vulnerabilities of that risk rating will be deleted.

    • If the priority mapping for a risk is changed, any issues linked to vulnerabilities of that risk rating will be updated to the correct priority.

    • If the Create with type setting is changed, all issues will be updated to the correct type.

    • If the Add to Epic, Add to Task, or Assign to settings are changed, existing issues will be unchanged. These changes will apply only to issues created in the future.

    • If the Status on create or Status on close settings are changed, the status of already existing issues will be unchanged. These changes will apply only to issues created in the future.

Frequently Asked Questions

Which user will create the Jira tickets?

A user called edgescan JIRA plugin will create the tickets.

Why am I getting a ‘Your plugin session has expired’ message?

For security the configuration pages for the plugin use a separate session management from Jira’s session management. These sessions time out after 15 minutes, so this can happen whenever you leave a configuration page open for longer than that. Refreshing the page will create a new session and allow you to continue your work.

What happens if I delete an issue created by the plugin?

If you delete an issue that’s linked to an open vulnerability, the issue will be recreated on the next sync. If the deleted issue is linked to a closed vulnerability, nothing will happen.

I navigated to and just got a blank page. Why?

This URL points to a file that describes the plugin in a format Jira will understand and as such is intended to be used only by Jira to install the plugin. Try following the installation instructions in this document.