Using the Veracode Integration for Jira Cloud

Ticketing Systems

Veracode offers a flaw import integration that enables you to import into Jira all the flaws Veracode discovers while scanning your applications.

The Veracode Integration for Jira Cloud manages the import of application flaws that Veracode identifies, and creates Jira issues. The Jira Cloud integration assigns each unique application flaw to a unique Jira issue, created in the designated Jira project. Import criteria can include all open flaws from all scans, all flaws that affect policy, all unmitigated flaws from the most recent scan, or other criteria.

You can choose to import flaws on a one-time basis or selectively choose which flaws to import. You can also schedule flaw imports on an hourly, weekly, or daily basis. You can import flaws from a specific application scan or from all your application scans. The Veracode Integration for Jira Cloud can also update flaw comments on the Veracode Platform, but cannot mitigate flaws from within the Jira integration.

If your organization whitelists internet domains, you must add an entry for the Jira Cloud service to use this integration. See Veracode IP Address Ranges for more information.

Veracode Link Custom Field

Installing the Veracode Integration for Jira Cloud also installs and configures the Veracode Link custom field. This custom field manages the association of the Jira issue with the application flaw in the scan results on the Veracode Platform. The Jira issue contains the Veracode Link field that provides links back to the specific application, policy, and flaw on the Veracode Platform.

Note: When using the Veracode Integration for Jira Cloud, the Veracode Link custom fields do not appear as their own individual fields in Jira tickets but listed in the Issue Description field.

Prerequisites

For the Veracode Integration for Jira Cloud to work in your cloud environment, you must meet the following prerequisites:
  • You must have the required permissions to install the Veracode Integration for Jira Cloud in your Jira Cloud environment.

  • Your Jira Cloud instance must use the state names and transition names listed in this document for the integration to be able to appropriately assign the correct state and automatically make the correct transitions.
  • You must have a Veracode Platform non-human account that has the Results API and Mitigation API roles.
  • You must use a Jira user account that has the permissions for creating and modifying all Jira issues for all the projects that you are importing flaw data into.

Veracode recommends that you use a unique Jira user account for the flaw import process to be able to identify and track actions taken by the integration. You can create an API user on the Veracode Platform at https://analysiscenter.veracode.com.

Getting Started

The steps involved in using the Veracode Integration for Jira Cloud include:
  1. Install the Veracode Integration for Jira Cloud.
  2. Configure the Veracode Integration for Jira Cloud.
  3. Importing flaws.

Jira Users

Two types of users can interact with the Veracode Integration for Jira Cloud:
Jira User
This user is an account inside of Jira, which is specified on the Jira configuration page. The Jira user is the author and modifier of the issues the integration creates. Veracode strongly recommends that you create a separate Jira user for using the Veracode Integration for Jira Cloud for the following reasons:
  • To clearly indicate that issues were created automatically and that changes were part of the automatic process and not the actions of a human user.
  • To avoid the human user receiving all the automated notifications that Jira sends out every time a issue is created or updated.
Veracode User
This account provides access the Veracode Platform. The Jira import process is limited by the applications this user can access. Veracode strongly recommends that this user be a non-human user account.