Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jira Epic Mapping: Support for the removal of Epic Name custom fields #11690

Merged
merged 2 commits into from
Jan 31, 2025
Merged

Jira Epic Mapping: Support for the removal of Epic Name custom fields #11690

merged 2 commits into from
Jan 31, 2025

Conversation

Maffooch
Copy link
Contributor

When attempting to create an Epic in Jira, this error was raised:
"Field 'customfield_xyz' cannot be set. It is not on the appropriate screen, or unknown."

The Jira integration needs a custom_field value for 'Epic Name'. However, Jira Project settings might not actually use 'Epic Name' as a field when creating Epics. Atlassian made a change in August 2023 which combined the 'Epic Name' and 'Epic Summary' fields.

Newer Jira Projects might not use this field when creating Epics by default, which results in this error message. It looks like they've just changed the default metadata required for Epic creation. They've left things so that older Projects and API integrations will continue to work, but newer Projects have a different set of content required to create an issue by default.

In addition to this new change, Atlassion has also changed that way that "next-gen" issues can be added to epics, so we must support both. The error raised there is:

The request contains a next-gen issue. This operation can't add next-gen issues to epics.
To add a next-gen issue to an epic, use the Edit issue operation and set the parent property
(i.e., '"parent":{"key":"PROJ-123"}' where "PROJ-123" has an issue type at level one of the issue type hierarchy).
See <a href="https://developer.atlassian.com/cloud/jira/platform/rest/v2/"> developer.atlassian.com </a> for more details.

[sc-10058]

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 29, 2025
edited
Loading

DryRun Security Summary

The pull request focuses on updating and improving JIRA integration functionality in DefectDojo, including API test cases, handling of "next-gen" issues, and epic creation/update features, while also addressing security concerns related to cookie vulnerabilities and API endpoints.

Expand for full summary

Summary:

The code changes in this pull request primarily focus on updates and improvements to the JIRA integration functionality within the DefectDojo application. The changes include updates to the JIRA API test cases, handling of "next-gen" JIRA issues, and enhancements to the JIRA epic creation and update functionality. From an application security perspective, the changes do not introduce any obvious security vulnerabilities, but there are a few areas that should be reviewed to ensure the continued security and reliability of the JIRA integration.

The changes also include the creation of two new JIRA issues related to the "Cookie Without Secure Flag" vulnerability, which is a security issue that should be addressed. The details provided in the JIRA issues are comprehensive and include the necessary context for the security team to properly triage and resolve the findings.

Files Changed:

  1. unittests/vcr/jira/JIRAImportAndPushTestApi.test_engagement_epic_creation.yaml:

    • The changes update the request and response data for the JIRA API endpoint that creates a new epic issue.
    • The changes do not introduce any obvious security concerns, but it's important to ensure that the test cases cover security-related aspects of the application.

  2. dojo/jira_link/helper.py:

    • The changes improve the JIRA integration functionality by handling the "next-gen" issue case and allowing the setting of epic priority when updating an existing epic.
    • The changes appear to be positive improvements that will enhance the user experience and reliability of the JIRA integration in Defect Dojo.

  3. unittests/vcr/jira/JIRAConfigEngagementEpicTest.test_add_engagement_with_jira_project_and_epic_mapping.yaml:

    • The changes involve creating a new engagement in the DefectDojo application and making requests to the Atlassian Jira API to create a new issue (Epic).
    • There are several security concerns that should be addressed, such as the hardcoded webhook endpoint URL, authentication mechanism, input validation, and the use of deprecated API endpoints.

  4. unittests/vcr/jira/JIRAImportAndPushTestApi.test_engagement_epic_mapping_enabled_create_epic_and_push_findings.yaml:

    • The changes involve the creation of two new JIRA issues related to the "Cookie Without Secure Flag" vulnerability.
    • The details provided in the JIRA issues are comprehensive and include the necessary context for the security team to properly triage and resolve the findings.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The code changes improve JIRA integration in Defect Dojo by enhancing exception handling for next-gen issues, updating epic functionality, and adding field validation checks to ensure more reliable and flexible JIRA issue management.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the handling of JIRA issues for Defect Dojo findings and finding groups. The key changes include:

  1. Introducing a new exception handling block to accommodate errors that can occur when trying to add a "next-gen" issue to a JIRA epic. In such cases, the code attempts to manually update the issue by setting the parent property instead of using the add_issues_to_epic function.

  2. Updating the update_epic function to use the epic_priority parameter, if provided, when updating the JIRA epic.

  3. Modifying the add_epic function to check if the "Epic name" field is present for the specified issue type before attempting to set it, to handle cases where the issue type may not have the "Epic name" field.

From an application security perspective, these changes appear to be focused on improving the reliability and robustness of the JIRA integration functionality within Defect Dojo. Handling exceptions and edge cases, as well as making the integration more flexible and configurable, helps to ensure that the integration can continue to function even when encountering unexpected situations.

Files Changed:

  • dojo/jira_link/helper.py: This file contains the changes related to the handling of JIRA issues for Defect Dojo findings and finding groups. The changes include the introduction of a new exception handling block, updates to the update_epic function to use the epic_priority parameter, and modifications to the add_epic function to check for the presence of the "Epic name" field before attempting to set it.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@Maffooch Maffooch merged commit 3a9d81c into DefectDojo:bugfix Jan 31, 2025
73 checks passed
@Maffooch Maffooch deleted the jira-epic-mapping branch January 31, 2025 01:45
This was referenced Feb 4, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grendel513 grendel513 grendel513 approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Maffooch @grendel513 @dogboat @hblankenship @blakeaowens