Using the Veracode Integration for Jira

Ticketing Systems

Veracode offers a security finding import integration that enables you to import into Jira all the findings Veracode discovers while scanning your applications.

Veracode Integration for Jira and Jira Data Center manages the import of application security findings that Veracode identifies, and creates Jira issues. The Jira integration assigns each unique application finding to a unique Jira issue, created in the designated Jira project. Import criteria can include all open findings from all scans, all findings that affect policy, all unmitigated findings from the most recent scan, or other criteria.

You can choose to import findings on a one-time basis or selectively choose which findings to import. You can also schedule findings imports on an hourly, weekly, or daily basis. You can import findings from a specific application scan or from all your application scans. The Veracode Integration for Jira can also update findings comments on the Veracode Platform, but cannot mitigate findings from within the Jira integration.

Veracode Link Custom Field

Installing the Jira integration also installs and configures the Veracode Link custom field. This custom field manages the association of the Jira issue with the application findings in the scan results on the Veracode Platform. If you configure the Veracode Link field to display on your Jira issues, it provides links back to the specific application, policy, and findings on the Veracode Platform.

Prerequisites

For the Veracode Integration for Jira to work in your environment, you must meet the following prerequisites:
  • Use Jira 6.x or 7.x on a standalone instance or Jira Data Center (available with Jira 7.0 and later). If you are using a later version of Jira, please check with Veracode Support for compatibility.
  • Your Jira instance must use the state names and transition names listed in this document for the integration to be able to appropriately assign the correct state and automatically make the correct transitions.
  • If you are using Jira Data Center, in the cluster.properties file, you must specify the value of the jira.shared.home property as the common file location for processing findings import data. The property could be a local directory or network file system (NFS) directory that is accessed by all Jira nodes. If you are using a NFS location, you must perform drive mapping in each Jira node.
  • If you are using Jira Data Center, you must have already moved the data, plugins, logos, import, and export folders from the local to shared home.
  • Have a Veracode Platform non-human user account. that has the Results API and Mitigation API roles.
  • Use a Jira user account that has the permissions for creating and modifying all Jira issues for all the projects that you are importing findings data into.
  • The system running the Jira server must have network connectivity.

Veracode recommends that you use a unique Jira user account for the findings import process to be able to identify and track actions taken by the integration. You can create an API user on the Veracode Platform at https://analysiscenter.veracode.com.

Getting Started

You can verify that the Veracode Integration for Jira is correctly installed by going to Administration > Add-ons, and click on Manage add-ons in the left pane.

Some debugging information is available here. Veracode recommends that you do not allow the Jira users in this procedure to make the Mitigations field read-only.

Jira Users

There are three types of user that interact with the Veracode Integration for Jira. Here is an overview to help you understand which user does what.
System User
This is the user that is logged into the computer system on which Jira is installed. The Jira server process shows this system user to be the owner, which is information you need to know when installing the Veracode Integration for Jira so that you can correctly configure permissions.
Jira User
This user is an account inside of Jira, which is specified on the Jira configuration page. This user is identified as the author of issues that the integration creates and the actor when you modify issues. Veracode strongly recommends that you create a separate Jira user for using the Veracode Integration for Jira for the following reasons:
  • To clearly indicate that issues were created automatically and that changes were part of the automatic process and not the actions of a human user.
  • To avoid the human user receiving all the automated notifications that Jira sends out every time an issue is created or updated.
Veracode User
This is the account created for analysiscenter.veracode.com for access to the Veracode Platform. The Jira import process is limited by the applications this user can access. Veracode strongly recommends that this user be a non-human account.