Jira Integration

Experimental Feature

The Jira integration is an experimental feature and may undergo changes in future releases.

Overview

CVEScan offers an optional Jira integration feature, enabling you to associate a CVEScan annotation with a Jira issue. This makes it easy to track the status and progress of related Jira issues directly within the CVEScan WebUI.

Features

The core concept of the Jira integration is to create a link between a CVEScan annotation and a Jira issue. The CVEScan WebUI provides two ways to create this link:

  • Link to existing Jira issues: Link a CVEScan annotation to an existing Jira issue. This is useful when the issue was created outside of CVEScan and you want to track the progress of the remediation from CVEScan.

  • Create new Jira issues: Create a new Jira issue and link it to a CVEScan annotation directly from CVEScan WebUI.

    Limitation

    Custom fields are not yet supported for new Jira issue creation. To work around this limitation, you can create the issue in Jira and then link it to the annotation using the Link to existing Jira issues feature.

  • Unlink Jira issues: Unlink a CVEScan annotation from a Jira issue. This removes the link between the annotation and the issue in CVEScan but does not delete the issue from Jira. The issue remains accessible in your Jira instance.

How It Works

Account Linking

The Jira integration is based on linking your Atlassian account (Jira scoped) to your CVEScan account using Atlassian OAuth 2.0 (3LO). You can create the link via the CVEScan WebUI by clicking on the Link button in the user profile page.

Link lifecycle

After linking your accounts, the connection remains active as long as you use the Jira integration. However, the link expires after 90 days of inactivity. If this happens, you'll need to link your accounts again through the user profile page.

You can manage your Jira link at any time from the user profile page:

  • Unlink: Remove the connection between your CVEScan and Atlassian accounts.
  • Update: Change to a different Jira instance or Atlassian account.

Permission-Based Access

All actions performed from CVEScan in Jira are subject to your Atlassian account permissions. CVEScan cannot perform operations that your Jira account does not have permission to execute. For example:

  • If you don't have permission to create issues in a specific Jira project, you won't be able to create issues in that project from CVEScan.
  • If you don't have permission to view certain Jira issues, you won't be able to link them to annotations in CVEScan.

This ensures that the Jira integration respects your organization's existing access control policies.

Data Storage

To enable seamless integration, CVEScan stores your Jira credentials (access and refresh tokens) in encrypted form in the database. For detailed information about what data is stored, how it is encrypted, and the security implications, please refer to the Data Storage and Encryption section in the installation guide.

Enabling the Jira Integration

The Jira integration is an optional feature and is not enabled by default. To enable it, your system administrator must configure the CVEScan API with the appropriate Atlassian OAuth credentials and encryption keys. Please refer to the Jira Integration Installation Guide for complete setup instructions. When the integration is enabled, you will see a Jira Integration section in the user profile page and a Jira badge in the cards of the annotations.