How do I set up a Jira bi-directional integration?
What is Jira Cloud integration?
In a DevOps environment, where agile teams do multiple code releases and hundreds of builds a day, communication, transparency, and collaboration are key. With Jira Cloud integration, we're delivering all these values by giving the ability for security and development teams to communicate back-and-forth online and in-platform through Jira.
Why is it important for agile teams?
This two-way, streamlined communication between security and development teams eliminates the manual workload to track and manage the progress of findings, leading to significant resource savings and effective remediation of critical vulnerabilities.
If you are using the Cloud version of Jira, we can push the details of each finding to your issue tracking system and receive updates back to Cobalt once you and your team are done remediating the issues in Jira.
Our secure integration via our plug-in, available on the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1222623/cobalt-for-jira-cloud) will allow you to:
Push findings reported in the Cobalt platform as tickets in your configured project in Jira.
Sync back ticket status in Jira to the finding in the Cobalt platform.
Enable auto-sync which will auto-push findings.
Steps to install, configure, and run Cobalt Jira plugin for Jira Cloud
Permissions needed to install Cobalt Jira plugin:
Admin in Jira
Org Owner/Org Member on Cobalt Platform
Permissions needed to configure Jira for pentest(s)
Org Owner/Org Member on Cobalt Platform
1) Cobalt platform: Login with provided credentials at https://app.cobalt.io
2) Cobalt Platform: Go to the organization level. Then under Integrations → Jira → Installation, find instructions to install the Jira plugin.
3) Jira: Search for Cobalt plugin in Atlasssian marketplace (Jira Admin)
4) Jira: Download the app from the marketplace (Jira Admin)
5) Jira: After the plugin application is installed, click ‘Get Started’ (Jira Admin)
6) Cobalt Platform: Clicking on ‘Get Started’ will open up a new tab with the Cobalt login screen, where a Cobalt Org Owner should login. Upon successful authentication, if there are multiple orgs for your organization in the Cobalt platform, you will need to select an organization to connect to. If you have only one org in the Cobalt platform, the two platforms will be connected upon login.
7) Cobalt Platform: View from Integrations → Jira → Configuration
View the status of Jira instance connection and view the available list of pentests to configure for sync with Jira.
8) Cobalt platform: From Integrations → Jira → Configuration
Configure and map a pentest to a Jira project, and Jira ticket state to finding state. Additionally, define the Jira issue type to be created and label(s) to be added to the Jira ticket when a finding is created in the Cobalt platform.
Note: Pentest in ‘New/Draft' state do not show up in the pentest list on 'Integrations → Jira → Configuration’ page
9) Cobalt Platform: ‘Auto-push’ controls pushing of findings from Cobalt to Jira for each pentest when the plugin is connected to the Cobalt platform, and Jira configuration is saved according to the previous step. By default, auto-push is enabled when configuration is saved but can be disabled. This will disable auto-push of findings between Cobalt and Jira; however, findings can still be individually pushed from finding level and the change in Jira ticket status can change the finding ticket status according to the configuration.
Note: Project, Issue type, and state mapping are mandatory for auto-sync. For manual push, only project key and issue type are required.
10) Cobalt Platform: Last sync time between Cobalt and Jira
11) Cobalt Platform: Pentest Team Members are able to push findings to Jira on a per-finding level if not already synced to Jira.
12) Cobalt Platform: ‘Disconnect’ removes connection between Cobalt and Jira platform and any data sync between two platform will stop. This will also delete all pentest level Jira configuration and will need to be reconfigured upon establishing connection again.
If you are using Cobalt’s existing Jira 1-Way connection with pentests (PT), these PT will not appear in the new Jira Bi-Directional plugin application PT configuration. Do not disconnect your Jira 1-Way PT and do not try to connect using the new Jira Bi-Directional plugin application.
If you have pentests that were connected using Jira 1-Way in the past and have been disconnected since, do not connect those PT using Jira Bi-Directional plugin application.
Is the Jira plugin for Jira Server, Jira Data Center or Jira Cloud?
We support Jira Cloud, Jira Server, and Jira Data Center.
Where do I download the Jira plugin from?
Jira Cloud: https://marketplace.atlassian.com/apps/1222623/cobalt-for-jira-cloud
Jira Server: https://marketplace.atlassian.com/apps/1224424/cobalt-for-jira-dc-server
Jira Data Center: https://marketplace.atlassian.com/apps/1224424/cobalt-for-jira-dc-server
Which Jira project types are supported?
We support software development Jira projects such as Kanban, Scrum and Bug Tracking.
Which required fields are supported to create Jira tickets?
Summary, issue type, and reporter are the only required fields supported at this time for Jira ticket creation.
Is the component field supported?
If component is a required field, that is not supported at this time.
Are custom required fields supported?
No, we do not support custom required fields at this time.
How to add Cobalt Severity Label into your Jira Issue Type view.
Note that Cobalt Severity is a label built by Cobalt. Avoid using custom labels like “Severity” and instead add the Cobalt Severity label into your Jira tickets. The instructions below show how to do that:
- In the Jira software project, Click on Gear Icon on the upper right side → Projects
- Click the ellipses near the project you want to edit and click Project Settings
- On the left side menu, click Issue Types
- For the issue you are interested in, Bug, Story, etc, Drag the Cobalt Severity field from the right side into the context fields section.
- Click Save Changes.
Now, when Cobalt pushes findings to Jira, you should see the Cobalt Severity Score mapped to the Cobalt Severity Field in your Jira ticket.
Where are the Jira integration settings on Cobalt platform?
Org Level: Integrations → Jira → Installation/Configuration
Pentest Level: Pentest → Settings → Integrations
Findings Level: Pentest → Findings → Select a Finding → External Issue Tracking
How does auto-push work?
For auto-push to work, project and issue type state mapping should be complete. After pentest level Jira configuration is completed and auto-push is Enabled, existing findings with ‘Pending Fix’ state will be pushed to Jira; all other state findings will not be automatically pushed to Jira. If findings change from any other state to 'Pending Fix,' then those will be auto-pushed to Jira.
More information about the findings states: What does each state of the finding mean?
What is a manual push of findings?
A manual push pertains to manually initiating Jira ticket creation corresponding to a finding either because auto-push is disabled or because state mapping does not apply.
How does manual push of findings work?
When auto-push is disabled or Cobalt to Jira state mapping does not apply even though auto-push is Enabled, then you can push a finding manually from Pentest → Findings → Select a Finding → External Issue Tracking.
How often findings are synched between Cobalt platform and Jira?
Findings are synched frequently between the Cobalt platform and Jira, usually every minute.
Which elements from the findings are sent to Jira?
Title, Description, POC, Suggested Fix, and link to Cobalt finding are pushed to the Jira ticket.
However, attachments and comments are not exported.
The following are finding fields to Jira ticket fields mappings:
- Finding Title → Jira ticket title
- PT ID → Description - Cobalt URL
- Vulnerability Type → Not carried
- Description → Description - Overview
- Affected URL(S) → Description - Browser url
- Proof of Concept → Description - Steps to Reproduce
- Criticality → Not carried
- Suggested Fix → Description - Suggested Fix
- Prerequisites → Not carried
10. HTTP Request → Not carried
11. Attachments → Not carried
12. Comments → Not carried
Will the historical findings be synched to Jira when the pentest is configured with Jira config?
Yes, only if the findings are in the ‘Pending Fix’ state.
My old pentest findings are not getting synched to Jira, why?
Make sure the connection between Cobalt and Jira is established.
Make sure the pentest under question has Jira configured.
Make sure auto-push is enabled for the specific pentest.
What if I use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?
What if I use 2FA enabled to login to Cobalt, can I establish a connection between Cobalt and Jira?
What if I don’t use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?
Please sign in to leave a comment.