Hey there,
Having a lot of issues with fetching the alerts from my repo. (in Github Cloud Enterprise)
the error i keep getting:

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.github.com/repos/<org-name>/<repo-name>/secret-scanning/alerts?per_page=100

i tried running curl locally with GITHUB_TOKEN exported and it worked.

here's the action.yml (tried a few variants)

jobs:
  jira-sync:
    name: Jira Sync
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
#    needs: [ analyze ]
    steps:
      - name: Sync alerts to Jira issues
#        env:
#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        uses: github/ghas-jira-integration@v1
        with:
          jira_url: 'http://<org>.atlassian.net'
          jira_token: ${{ secrets.JIRA_TOKEN }}
          jira_user: 'myuser'
          jira_project: 'myproject'
          jira_labels: 'code-scanning'
          sync_direction: 'gh2jira'

Any thoughts on supporting custom issue types? Referring to a security vulnerability as a bug seems odd to me, and I would like to report these tickets as something other than such.

It would be nice to have a feature which only opens tickets with a certain severity (i.e critical, high, and medium).

Feature request to add details from the Github's code scanning page such as file (line/col), recommendations, code snippets (path of exploitation), examples, etc in the jira ticket. The majority of this information looks to be available on the API and presented in markdown.

Some feedback that was given to us from an open source developer 😸

Based on the Jira python library being used, the actual customfields themselves are just an additional key/value pair passed to the fields object: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/#creating-an-issue-using-custom-fields

Here - https://github.com/github/ghas-jira-integration/blob/main/jiralib.py#L168 this method is where we would pass something like field={“customfield_0000”: “my_value”}

Ideally the custom field would be an arbitrary map the user passes into the github action.

It would be great to include support for the other types of GHAS alerts:

• Dependabot Security alerts
• Secret Scanning alerts

Delegate alerts based on paths specified to particular Jira backlogs. For instance, some engineering teams split Action workflows for a monorepo to speed up run time, whether those workflows are used for building, linting and/or running security scanners. In this particular case, We want to fetch code scanning alerts from a monorepo and take subsets of them to post to particular Jira backlogs. We want to take the familiar concept of paths and paths-ignore to this integration.

Take this as an example:

test-repo => MAIN_JIRA_BOARD
|
| -/some_path_1/** => JIRA_BOARD_FOR_SOME_PATH_1
|
| -/some_path_2/** => JIRA_BOARD_FOR_SOME_PATH_2
|
| -/some_path_3/** => JIRA_BOARD_FOR_SOME_PATH_3

• MAIN_JIRA_BOARD will have all alerts except any paths we define for either paths and/or paths-ignore
  • For paths-ignore, exclude specific subdirs meant for JIRA_BOARD_FOR_SOME_PATH_1 and similar
  • For paths, include all paths except paths meant for JIRA_BOARD_FOR_SOME_PATH_1 and similar
• For JIRA_BOARD_FOR_SOME_PATH_1 and similar boards, in this case we want to use paths to include alerts for specific subdirs.

I was able to run this action/post jira issues just fine when my repo was public (thus no secret scanning alerts), but once I switch to public and run this in the octodemo org, I get this error:

DEBUG:urllib3.connectionpool:https://api.github.com:443 "GET /repos/octodemo/sennap-ghas-jira/secret-scanning/alerts?per_page=100 HTTP/1.1" 403 None

fulls logs including SecurityEvents: write permission for my GitHub_token:
logs_14.zip

workflow file in case you don't have access to the octodemo org:

name: "Sync GHAS to Jira"

on: workflow_dispatch
# on:
#   schedule:
#     - cron: '*/10 * * * *'    # trigger synchronization every 10 minutes

jobs:
  test_job:
    runs-on: ubuntu-latest
    steps:
      - name: Sync alerts to Jira issues
        uses: github/ghas-jira-integration@v1
        with:
          jira_url: 'https://githubtraining.atlassian.net/'
          jira_user: '${{ secrets.JIRA_USER }}'
          jira_token: '${{ secrets.JIRA_TOKEN }}'
          jira_project: 'SGJ'
          sync_direction: 'gh2jira'

secret scanning alert that I can see in the UI as org admin:

cc @cmboling @zbazztian as I saw you added secret scanning support recently 🙏🏻

Hello Team,

We need jira tickets for those vulnerabilities which are open/Present in code-scanning alerts. I don't need the tickets for those vulnerabilities which are already closed on code-scanning alerts.

When I run the code scanning alerts workflow , the jira tickets are opened for all the vulnerabilities which are even closed.

Can you please help us improving above???

Thanks,
Shweta.

Can you please add support for the 'Component' field in Jira ?

Part one

• Test, approve and merge #15
• Rename default branch to main
• Retain dummy “master” branch to accommodate existing workflows referencing this branch
• Notify known users using this workflow for breaking changes
  • #16

Part two

• Update README.md
• Rename repository
• Release v1 tag
• Smoke test v1 tag
• Delete dummy master branch
• Notify users to use v1

Postponed to minor release (starting week of October 18)

• Refactor/Improve codebase
  • #17
  • #18

• Remove the creation of the Jira bug that as a title of [Code Scanning Issue States]
• Remove references to the states file from the arg parsing and action inputs
• Remove reference to Docker builds
  • The CLI can be added to an image but we don't necessarily want the Actions implementation to rely on a Docker build if we can instead rely on the tools already in the GH hosted runner.

Currently we have massive amounts of repositories and would rather have a dedicated repo run this integration for the whole organization vs in each repo.

Overview

When trying to run this locally, I am getting an error that there is a missing module.

Debug Info

Versions

• Python Version: Python 3.10.9
• ghas-jira-integration Version - latest/main

Install Output

pipenv install

Creating a virtualenv for this project...
Pipfile: ~/projects/ghas-jira-integration/Pipfile
Using /opt/homebrew/bin/python3 (3.10.9) to create virtualenv...
⠴ Creating virtual environment...created virtual environment CPython3.10.9.final.0-64 in 462ms
  creator CPython3Posix(dest=~/.local/share/virtualenvs/ghas-jira-integration-Np39mDW-, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=~/Library/Application Support/virtualenv)
    added seed packages: pip==22.3.1, setuptools==65.6.3, wheel==0.38.4
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator

✔ Successfully created virtual environment!
Virtualenv location: ~/.local/share/virtualenvs/ghas-jira-integration-Np39mDW-
Pipfile.lock not found, creating...
Locking [packages] dependencies...
Locking [dev-packages] dependencies...
Updated Pipfile.lock (4f62b95128be3b692fe61e60ea444eb9d699b7871daa710d5a5f3d344b8ae567)!
Installing dependencies from Pipfile.lock (8ae567)...
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.

Error Output

pipenv run ./gh2jira --help

Traceback (most recent call last):
  File "~/projects/ghas-jira-integration/cli.py", line 11, in <module>
    import anticrlf
ModuleNotFoundError: No module named 'anticrlf'

The README mentions that "For accessing the Code Scanning alert data, the action uses the GITHUB_TOKEN which is automatically created for you, so you don't need to provide it".

But in reality i had to manually create another PAT and use it like that for the actions to successfully fetch security alerts:

jobs:
jira-sync:
name: Jira Sync
runs-on: ubuntu-latest
steps:
- name: Sync alerts to Jira issues
uses: github/ghas-jira-integration@v1
with:
github_token: ${{ secrets.TEST_GITHUB_TOKEN }}
jira_token: ${{ secrets.JIRA_TOKEN }}
jira_url: 'https://apiseq.atlassian.net'
jira_user: '[email protected]'
jira_project: ${{ github.event.inputs.project }}
jira_labels: 'code-scanning'
sync_direction: 'gh2jira'

when not adding the manually created PAT i get the following error:
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.github.com/repos/neosec-com/neosec-frontend/secret-scanning/alerts?per_page=100

Add a flag to include labels to send to Jira for all new/existing security vulnerabilities

Not all Jira issues use the "Done" state when an issue/severity alert is closed. Some use a custom state, such as "Closed". Provide a custom flag that will support this.

In some workflows, code scanning or secrets scanning alerts get closed with various statuses (false positive, fixed, etc.), and then re-opened. Right now this integration can only move Jira issues from Open to Done. It would be great if the integration could change the status of 'Done' issues back to 'Open' if they are re-opened for any reason.

Tried running action against our jira account and...

WARNING:root:Got recoverable error from GET ***/rest/api/2/serverInfo, will retry [1/3] in 12.502317084188054s. Err: HTTPSConnectionPool(host='imaware.atlassian.net', port=443): Max retries exceeded with url: /rest/api/2/serverInfo (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

Not sure what to do here as our GitHub is permitted with jira and am using other jira GitHub Actions to create tickets.

Although these are minor improvements, they are breaking changes:

• Renaming the repository
  • GHAS licensing consists of both code scanning and secret scanning, so once we are tracking each type of alert, we can change the name to ghas-jira-integration. There's also an issue 'round here requesting support for other issue tracking platforms (Azure boards or even our native GitHub issues). We may need to settle on a more generic name, such asghas-issue-tracking-integration.
• Change default branch from master to main
  • Also remove master reference in READme's.
• Use version branches/tags so we don't use main/master branches to refer to different versions of the integration

Submit security vulnerabilities to [email protected]?

Installing dependencies takes to long when running the sync in the Ubuntu Docker container: https://github.com/github/codescanning-jira-integration/blob/master/Dockerfile

Issue Summary 🚨

On October 1st, the ghas-jira-integration pipeline failed due to an ImportError linked to the Werkzeug package.

Error Message 🛑

ImportError: cannot import name 'url_quote' from 'werkzeug.urls'

Diagnostic Details

• Issue Identified: The problem is related to an upgrade in the Werkzeug package.

  • Reasoning: Import statement in code is incompatible with the latest version of Werkzeug.

• Version Info:

  • Working Version: Werkzeug-2.3.7
  • Problematic Version: Werkzeug-3.0.0
  • How Discovered: Compared logs from a successful run to a failed run to pinpoint the version discrepancy.

Why on earth you've the argument named token while you expecting password string instead?

--jira-token "<INSERT JIRA PASSWORD>

How can I use JIRA token which is supposed to access its APIs?
Request should be sent by adding the header Authorization: Bearer MYJIRATOKEN

Since code scanning alerts that are associated with a database vulnerability contain the severity level, I believe that these should be applied to the priority of the ticket. For things that are not associated with a database vulnerability and are from a code scanning alert, they should remain a medium priority, and for Secret scanning alerts these should be labeled with the Highest priority. It will allow for the tickets created through the action to be used with Jira automation and send out notifications based on priority level and length of time in limbo. Let me know what you think. I can take a shot and creating a PR for it.

When trying to sync alerts to jira im running into this weird behavior by the action, for some reason it runs a jql query looking for issues with the project key name AND description which is an auto generated hash. this doesn't return an error though, just this message:

https://<myserver>.atlassian.net:443 "GET /rest/api/2/search?jql=project%3D%22PROT%22+and+description+~+%229ace02b988f4e7c7be80674a50ba912cdbaa3ca9a3df87440d795ce9fa82156e%22&startAt=0&validateQuery=True HTTP/1.1" 200 None
Search project="PROT" and description ~ "9ace02b988f4e7c7be80674a50ba912cdbaa3ca9a3df87440d795ce9fa82156e" returned 0 results.

I was recently approached by a colleague who suggested we might want to add support for Azure Boards, given that it has currently more than 1.2M monthly users. It is an interesting proposition and could serve as a proof that the integration can be more generic and support multiple platforms. One caveat is that we would have to, once again, rename the repository :-)

There are currently still a few outstanding items we should address for the JIRA integration, but if we can gather customer / prospect interest, then this might be an interesting project.

I would like the severity of the code scanning alert (Error, Warning, Info) to map to a priority in the Jira bug that is opened.

Error = High
Warning = Medium
Info = Low

This would make it easier for product owners, scrum masters, etc to be able to prioritize the bugs they see in their backlog at a glance. This would also prevent having to look at the code scanning alerts, and match them up with the bugs. Or have to click the individual links inside the bugs to be brought to the specific alert, to then look at the severity that it has.

I am filing this on behalf of my customer @Shweta4398 who has successfully set up a workflow with this Action. Every time they run the workflow, it fails with the same error text: The issue type selected is invalid.

Here is the Action they provided:

If there is no issue type, the error occurs, or if they add an issue type, same error. jira_issue_type does not appear to be a criteria you can populate with this Action.

Looking at a portion of the logs, it appears that somewhere along the way, the rest/api path is picked up and the Action seems to identify this as an issue type:

jira.exceptions.JIRAError: JiraError HTTP 400 url: https://appdirect.jira.com/rest/api/2/issue
	text: The issue type selected is invalid.
	
	response headers = {'Date': 'Mon, 10 Apr 2023 06:09:59 GMT', 'Content-Type': 'application/json;charset=UTF-8', 'Server': 'AtlassianEdge', 'Timing-Allow-Origin': '*', 'X-Arequestid': 'e3f409a204a7400ac8bb8f63346850f5', 'X-Aaccountid': '628dac6ff2261e00682a1d81', 'Cache-Control': 'no-cache, no-store, no-transform', 'X-Content-Type-Options': 'nosniff', 'X-Xss-Protection': '1; mode=block', 'Atl-Traceid': '8a5f7da3d11568d8', 'Report-To': '{"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}', 'Nel': '{"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}', 'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload', 'Transfer-Encoding': 'chunked'}
	response text = {"errorMessages":[],"errors":{"issuetype":"The issue type selected is invalid."}}
Error: Process completed with exit code 1.

Logs:

1_Set up job.txt
2_Sync CodeQL alerts to Jira issues.txt
4_Complete job.txt

Hello we are trying to get this setup for our repo and seeing this error

DEBUG:urllib3.connectionpool:[https://tranecortex.atlassian.net:443](https://tranecortex.atlassian.net/) "GET /rest/api/2/search?jql=project%3D%22DWA%22+and+description+~+%22290af322f9cb4b0a321b692b164f150b157f047a83168febf076db55717ab1de%22&startAt=0&validateQuery=True HTTP/1.1" 400 None
Traceback (most recent call last):
  File "/home/runner/work/_actions/github/ghas-jira-integration/v1/cli.py", line 321, in <module>
    main()
  File "/home/runner/work/_actions/github/ghas-jira-integration/v1/cli.py", line 318, in main
    args.func(args)
  File "/home/runner/work/_actions/github/ghas-jira-integration/v1/cli.py", line 104, in sync
    s.sync_repo(repo_id, states=state)
  File "/home/runner/work/_actions/github/ghas-jira-integration/v1/sync.py", line 115, in sync_repo
    for i in self.jira.fetch_issues(repo.get_key()):
  File "/home/runner/work/_actions/github/ghas-jira-integration/v1/jiralib.py", line 221, in fetch_issues
    for raw in self.j.search_issues(issue_search, maxResults=0)
  File "/home/runner/.local/lib/python3.8/site-packages/jira/client.py", line 2523, in search_issues
    issues = self._fetch_pages(
  File "/home/runner/.local/lib/python3.8/site-packages/jira/client.py", line 636, in _fetch_pages
    resource = self._get_json(request_path, params=page_params, base=base)
  File "/home/runner/.local/lib/python3.8/site-packages/jira/client.py", line 3139, in _get_json
    r = self._session.get(url, params=params)
  File "/home/runner/.local/lib/python3.8/site-packages/jira/resilientsession.py", line 172, in get
    return self.__verb("GET", url, **kwargs)
  File "/home/runner/.local/lib/python3.8/site-packages/jira/resilientsession.py", line 168, in __verb
    raise_on_error(response, verb=verb, **kwargs)
  File "/home/runner/.local/lib/python3.8/site-packages/jira/resilientsession.py", line 53, in raise_on_error
    raise JIRAError(
jira.exceptions.JIRAError: JiraError HTTP 400 url: https://tranecortex.atlassian.net/rest/api/2/search?jql=project%3D%22DWA%22+and+description+~+%22290af322f9cb4b0a321b692b164f150b157f047a[83](https://github.com/nexiahome/nexia_dealer/runs/7568634532?check_suite_focus=true#step:2:85)168febf076db55717ab1de%22&startAt=0&validateQuery=True
	text: The value 'DWA' does not exist for the field 'project'.
	
	response headers = {'Date': 'Thu, 28 Jul 2022 21:02:49 GMT', 'Content-Type': 'application/json;charset=UTF-8', 'Server': 'globaledge-envoy', 'Timing-Allow-Origin': '*', 'X-Arequestid': 'cdcb4620-33a4-487d-9b33-0a397e3d4cf3', 'Cache-Control': 'no-cache, no-store, no-transform', 'X-Envoy-Upstream-Service-Time': '66', 'Expect-Ct': 'report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/atlassian-proxy", max-age=86400', 'Strict-Transport-Security': 'max-age=63072000; preload', 'X-Content-Type-Options': 'nosniff', 'X-Xss-Protection': '1; mode=block', 'Atl-Traceid': '0ba9a73c174f24[85](https://github.com/nexiahome/nexia_dealer/runs/7568634532?check_suite_focus=true#step:2:87)', 'Report-To': '{"group": "endpoint-1", "max_age": 600, "endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net/"}], "include_subdomains": true}', 'Nel': '{"report_to": "endpoint-1", "max_age": 600, "include_subdomains": true, "failure_fraction": 0.001}', 'Transfer-Encoding': 'chunked'}
	response text = {"errorMessages":["The value 'DWA' does not exist for the field 'project'.","Field 'description' does not exist or this field cannot be viewed by anonymous users."],"warningMessages":[]}
Error: Process completed with exit code 1.

Our configuration looks as follows:

name: "Sync GHAS to Jira"

on:
  workflow_dispatch:
  # schedule:
    # - cron: '*/9 * * * *'    # trigger synchronization every 9 minutes

jobs:
  test_job:
    runs-on: ubuntu-latest
    steps:
      - name: Sync alerts to Jira issues
        uses: github/ghas-jira-integration@v1
        with:
          jira_url: 'https://tranecortex.atlassian.net'
          jira_user: '${{ secrets.JIRA_USER }}'
          jira_token: '${{ secrets.JIRA_TOKEN }}'
          jira_project: 'DWA'
          github_token: '${{ secrets.GH_TO_JIRA_SEC_TOKEN }}'
          sync_direction: 'gh2jira'

We currently have neither any unit nor integration tests. The bigger and more complex the project grows, the more problematic this will become, so we should address this soon.