Jira Bi-directional Integration Setup Guide (Server & Data Center)

 

Steps to install, configure and run Cobalt Jira DC/Server plugin

Cobalt for Jira DC/Server plug-in supports both Jira Data Center and Jira Server installations. Follow the steps below to enable the Cobalt integration with your Jira Data Center or Server projects.  If your organization uses Jira Cloud, see the Jira Cloud setup guide.

 

1) Cobalt platform: Login with provided credentials at https://app.cobalt.io

 

2) Cobalt platform: Customers who belong to a single organization will have their organization selected by default in the top left corner. Customers who belong to multiple organizations may select the organization they wish to configure in the top left dropdown box. Navigate to Integrations → Jira → Installation to find installation instructions for the Jira DC/Server integration.

3) Jira DC/Server: Search for Cobalt plugin in the Atlasssian marketplace (as a Jira admin user)

 

4) Jira DC/Server: Install and Configure Cobalt plugin (as a Jira admin user)

 

 

5) Jira DC/Server: Click ‘Edit Configuration’ on the above screen. Leave the Cobalt service URL as the default value. Enter the token generated from the Cobalt platform in Input #5 and select a user with ticket creation privileges from the list of Jira users in Input #6. Test the connection using the provided button and save the configuration if the test was successful.

 

6) Cobalt Platform: Navigate to Integrations → Jira → Configuration. You can view the status of the Jira DC/Server connection and see the available list of pentests that may be configured for synchronization with the Jira DC/Server.

7) Cobalt platform: Navigate to Integrations → Jira → Configuration and select a pentest to configure. In the configuration form, you may configure the following options:

• The Jira project to synchronize findings to

• The type to use when creating Jira issues

• The labels to apply to created Jira issues

• The Finding State to Issue Status mappings

Note: Pentests in ‘New/Draft' state do not show up in the pentest list on ‘Settings → Jira → Configuration’ page

8) Cobalt Platform: Auto-sync controls the synchronization of findings between Cobalt and Jira for each pentest. By default, it is enabled but can disabled. This will disable synchronization of findings between Cobalt and Jira.

9) Cobalt Platform: For each pentest, you may see the last time a finding was synchronized to Jira.

10) Users are able to push findings to Jira on a per-finding basis if an issue has not already been created for them in Jira.

11) Cobalt Platform: Disable Jira plugin

 

Steps to uninstall Jira DC/Server plugin

1) Cobalt Platform: After selecting an organization, navigate to Integrations → Jira and click the disconnect button.

2) Jira DC/Server: Go to Add-ons → Manage Apps → Cobalt for Jira → Uninstall

 

Jira Plug-In SLA

Cobalt provides the Jira plugin to its customers to facilitate delivery of its services. Cobalt provides this integration on an 'as-is' basis, and makes no guarantees on it's functionality or interoperability with customers' systems.

Customers requiring support for the plug-in should contact their Customer Success Manager. All requests we be addressed within three (3) business days.

 

Attachments Support

A Cobalt finding can have attachments. To ensure those attachments are created properly on the on the Jira Server, please verify the following:

• On the machine where Jira Server is installed, locate your $JIRA_HOME directory. Follow the official Atlassian documentation on how to locate the Jira application home directory.

• Verify the following permissions:

  • The OS user must have permissions to create the directory $JIRA_HOME/import/cobalt

  • The OS user must have permissions read and write files within $JIRA_HOME/import/cobalt

FAQ

What is a finding?

A finding is a vulnerability reported on a Cobalt pentest on the Cobalt platform.

 

What is a ticket?

A ticket is a Jira ticket. In regard to the Jira integration, a ticket is a finding that has synced to Jira.

 

Is the Jira plugin for Jira Server, Jira Data Center or Jira Cloud?

We support Jira Cloud, Jira Server, and Jira Data Center. 

 

Where do I download the Jira plugin from?

Jira Cloud: https://marketplace.atlassian.com/apps/1222623/cobalt-for-jira-cloud 

Jira Server: https://marketplace.atlassian.com/apps/1224424/cobalt-for-jira-dc-server 

Jira Data Center:  https://marketplace.atlassian.com/apps/1224424/cobalt-for-jira-dc-server 

 

Which Jira project types are supported?

We support software development Jira projects such as Kanban, Scrum and Bug Tracking.

 

Which required fields are supported to create Jira tickets?

Summary, issue type, and reporter are the only required fields supported at this time for Jira ticket creation.

 

Is the component field supported?

If component is a required field, then it is not supported at this time.

 

Are custom required fields supported?

No, we do not support custom required fields at this time.

 

Where are the Jira integration settings on Cobalt platform?

Org Level: Integrations → Jira → Installation/Configuration

Pentest Level: Pentest → Settings → Integrations

Findings Level: Pentest → Findings → Select a Finding → External Issue Tracking

 

How does auto-push work?

For auto-push to work, project and issue type state mapping should be complete. After pentest level Jira configuration is completed and auto-push is Enabled, existing findings with the ‘Pending Fix’ state will be pushed to Jira. All other state findings will not be automatically pushed to Jira. If findings change from any other state to 'Pending Fix,' then those will be auto-pushed to Jira.

More information about the findings states: https://cobaltio.zendesk.com/hc/en-us/articles/360058824711-What-does-each-state-of-the-finding-mean-

 

What is a manual push of findings?

A manual push pertains to manually initiating Jira ticket creation corresponding to a finding either because auto-push is disabled or because state mapping does not apply.

 

How does manual pushing findings work?

When auto-push is disabled or Cobalt to Jira state mapping does not apply even though auto-push is Enabled then users can push a finding manually from Pentest → Findings → Select a Finding → External Issue Tracking

 

How often findings are synched between the Cobalt platform and Jira?

Findings are synched frequently between the Cobalt platform and Jira, usually every minute.

 

Which elements from the findings are sent to Jira?

Title, Description, POC, Suggested Fix, and link to Cobalt finding are pushed to the Jira ticket.

However, comments are not exported.

The following are finding fields to Jira ticket fields mappings

1. Finding Title → Jira ticket title
2. PT ID → Description - Cobalt URL
3. Vulnerability Type → Not carried
4. Description → Description - Overview
5. Affected URL(S) → Description - Browser url
6. Proof of Concept → Description - Steps to Reproduce
7. Criticality → Not carried
8. Suggested Fix → Description - Suggested Fix
9. Prerequisites → Not carried

10. HTTP Request → Not carried
11. Attachments → Attachments
12. Comments → Not carried

 

Will the historical findings be synched to Jira when the pentest is configured with Jira config?

Yes, only if the findings are in the ‘Pending Fix’ state.

 

My old pentest findings are not getting synched to Jira, why?

Make sure the connection between Cobalt and Jira is established.

Make sure the pentest under question has Jira configured.

Make sure auto-push is enabled for the specific pentest.

 

What if I use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?

Yes

 

What if I use 2FA enabled to login to Cobalt, can I establish a connection between Cobalt and Jira?

Yes

 

What if I don’t use Google SSO to login to Cobalt, can I establish a connection between Cobalt and Jira?

Yes