Steps to install, configure and run Cobalt Jira DC/Server plugin
Cobalt for Jira DC/Server plug-in supports both Jira Data Center and Jira Server installations. Follow the steps below to enable the Cobalt integration with your Jira Data Center or Server projects. If your organization uses Jira Cloud, see the Jira Cloud setup guide.
1) Cobalt platform: Login with provided credentials at https://app.cobalt.io
2) Cobalt platform: Customers who belong to a single organization will have their organization selected by default in the top left corner. Customers who belong to multiple organizations may select the organization they wish to configure in the top left dropdown box. Navigate to Integrations → Jira → Installation to find installation instructions for the Jira DC/Server integration.
3) Jira DC/Server: Search for Cobalt plugin in the Atlasssian marketplace (as a Jira admin user)
4) Jira DC/Server: Install and Configure Cobalt plugin (as a Jira admin user)
5) Jira DC/Server: Click ‘Edit Configuration’ on the above screen. Leave the Cobalt service URL as the default value. Enter the token generated from the Cobalt platform in Input #5 and select a user with ticket creation privileges from the list of Jira users in Input #6. Test the connection using the provided button and save the configuration if the test was successful.
6) Cobalt Platform: Navigate to Integrations → Jira → Configuration. You can view the status of the Jira DC/Server connection and see the available list of pentests that may be configured for synchronization with the Jira DC/Server.
7) Cobalt platform: Navigate to Integrations → Jira → Configuration and select a pentest to configure. In the configuration form, you may configure the following options:
The Jira project to synchronize findings to
The type to use when creating Jira issues
The labels to apply to created Jira issues
The Finding State to Issue Status mappings
Note: Pentests in ‘New/Draft' state do not show up in the pentest list on ‘Settings → Jira → Configuration’ page
8) Cobalt Platform: Auto-sync controls the synchronization of findings between Cobalt and Jira for each pentest. By default, it is enabled but can disabled. This will disable synchronization of findings between Cobalt and Jira.
9) Cobalt Platform: For each pentest, you may see the last time a finding was synchronized to Jira.
10) Users are able to push findings to Jira on a per-finding basis if an issue has not already been created for them in Jira.
11) Cobalt Platform: Disable Jira plugin
Steps to uninstall Jira DC/Server plugin
1) Cobalt Platform: After selecting an organization, navigate to Integrations → Jira and click the disconnect button.
2) Jira DC/Server: Go to Add-ons → Manage Apps → Cobalt for Jira → Uninstall
Jira Plug-In SLA
Cobalt provides the Jira plugin to its customers to facilitate delivery of its services. Cobalt provides this integration on an 'as-is' basis, and makes no guarantees on it's functionality or interoperability with customers' systems.
Customers requiring support for the plug-in should contact their Customer Success Manager. All requests we be addressed within three (3) business days.
What is a finding?
A finding is a vulnerability reported on a Cobalt pentest on the Cobalt platform.
What is a ticket?
A ticket is a Jira ticket. In regard to the Jira integration, a ticket is a finding that has synced to Jira.
Is the Jira plugin for Jira Server, Jira Data Center or Jira Cloud?
We support Jira Cloud, Jira Server, and Jira Data Center.
Where do I download the Jira plugin from?
Jira Data Center: https://marketplace.atlassian.com/apps/1224424/cobalt-for-jira-dc-server
Which Jira project types are supported?
We support software development Jira projects such as Kanban, Scrum and Bug Tracking.
Which required fields are supported to create Jira tickets?
Summary, issue type, and reporter are the only required fields supported at this time for Jira ticket creation.
Is the component field supported?
If component is a required field, then it is not supported at this time.
Are custom required fields supported?
No, we do not support custom required fields at this time.
Where are the Jira integration settings on Cobalt platform?
Org Level: Integrations → Jira → Installation/Configuration
Pentest Level: Pentest → Settings → Integrations
Findings Level: Pentest → Findings → Select a Finding → External Issue Tracking
How does auto-push work?
For auto-push to work, project and issue type state mapping should be complete. After pentest level Jira configuration is completed and auto-push is Enabled, existing findings with the ‘Pending Fix’ state will be pushed to Jira. All other state findings will not be automatically pushed to Jira. If findings change from any other state to 'Pending Fix,' then those will be auto-pushed to Jira.
More information about the findings states: https://cobaltio.zendesk.com/hc/en-us/articles/360058824711-What-does-each-state-of-the-finding-mean-
What is a manual push of findings?
A manual push pertains to manually initiating Jira ticket creation corresponding to a finding either because auto-push is disabled or because state mapping does not apply.
How does manual pushing findings work?
When auto-push is disabled or Cobalt to Jira state mapping does not apply even though auto-push is Enabled then users can push a finding manually from Pentest → Findings → Select a Finding → External Issue Tracking
How often findings are synched between the Cobalt platform and Jira?
Findings are synched frequently between the Cobalt platform and Jira, usually every minute.
Which elements from the findings are sent to Jira?
Title, Description, POC, Suggested Fix, and link to Cobalt finding are pushed to the Jira ticket.
However, comments are not exported.
The following are finding fields to Jira ticket fields mappings
Finding Title → Jira ticket title
PT ID → Description - Cobalt URL
Vulnerability Type → Not carried
Description → Description - Overview
Affected URL(S) → Description - Browser url
Proof of Concept → Description - Steps to Reproduce
Criticality → Not carried
Suggested Fix → Description - Suggested Fix
Prerequisites → Not carried
10. HTTP Request → Not carried
11. Attachments → Attachments
12. Comments → Not carried
Will the historical findings be synched to Jira when the pentest is configured with Jira config?
Yes, only if the findings are in the ‘Pending Fix’ state.
My old pentest findings are not getting synched to Jira, why?
Make sure the connection between Cobalt and Jira is established.
Make sure the pentest under question has Jira configured.
Make sure auto-push is enabled for the specific pentest.
What if I use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?
What if I use 2FA enabled to login to Cobalt, can I establish a connection between Cobalt and Jira?
What if I don’t use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?