@conterra/vuln-scan 0.0.34 → 0.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -49,6 +49,13 @@ After that you have following commands available:
49
49
  - `ct-vuln-remove-project`
50
50
  - Removes a project from the configuration file and all vex statements related to the project.
51
51
  - Or removes a project from all vex statements matching a given vulnerability id.
52
+ - `ct-vuln-add-project-to-vex`
53
+ - Update vex files to include a new project version. The project is added to each vex file that references the existing project version given.
54
+ - This step is already included in the `ct-vuln-add-project` command, but it can be run separately to update the vex files for an already existing project entry in the configuration file.
55
+ - `ct-vuln-jira-report`
56
+ - Reads a `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for newly detected vulnerabilities.
57
+ - Issues are only created when no existing issue with the same vulnerability ID already exists in the target Jira project.
58
+ - Routing rules in a `jira.json` file control which scan projects are reported to which Jira projects.
52
59
 
53
60
  ### Vulnerability scan
54
61
 
@@ -457,6 +464,22 @@ $ ct-vuln-remove-project mapapps 4.18.2-SNAPSHOT CVE-2024-38820
457
464
  This will remove the product-id from all vex statements matching the given vulnerability.
458
465
  This is useful if a vulnerability is no longer detected for a project and you like to remove an existing statement.
459
466
 
467
+ ## Usage - Add project to vex
468
+ Adds a new project version to all vex statements matching a reference project version.
469
+ This step is already included in the `ct-vuln-add-project` command, but it can be run separately to update the vex files for an already existing project entry in the configuration file.
470
+
471
+ To update vex files to include a new project version, run:
472
+
473
+ ```sh
474
+ $ ct-vuln-add-project-to-vex <existingPurl> <newPurl>
475
+ ```
476
+
477
+ for example:
478
+
479
+ ```sh
480
+ $ ct-vuln-add-project-to-vex pkg:maven/de.conterra.mapapps/ct-mapapps@4.19.0 pkg:maven/de.conterra.mapapps/ct-mapapps@4.19.1
481
+ ```
482
+
460
483
  ## Usage - Simulate a version release with preparation of the next dev version
461
484
 
462
485
  By combining the `ct-vuln-add-project` and `ct-vuln-remove-project` commands, you can simulate a version release.
@@ -470,6 +493,116 @@ $ ct-vuln-remove-project mapapps 4.18.3-SNAPSHOT
470
493
  $ ct-vuln-add-project mapapps 4.18.3 4.18.4-SNAPSHOT
471
494
  ```
472
495
 
496
+ ## Usage - Jira Report
497
+
498
+ The `ct-vuln-jira-report` command reads the `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for every new vulnerability that has not already been reported.
499
+
500
+ For each vulnerability the tool:
501
+ 1. Checks (via JQL) whether an issue with the same vulnerability ID already exists in the target Jira project.
502
+ 2. If not, creates a new issue with a structured description including CVE details, affected artefacts, affected products, and placeholder sections for assessment and remediation.
503
+
504
+ ### Environment Variables
505
+
506
+ ```bash
507
+ # Required
508
+ JIRA_USER=user@example.com # Jira account e-mail address
509
+ JIRA_API_TOKEN=<token> # Jira API token (https://id.atlassian.com/manage-profile/security/api-tokens)
510
+ ```
511
+
512
+ NOTE: These variables can also be placed in a `.env` file in the working directory.
513
+
514
+ ### Configuration – `jira.json`
515
+
516
+ Create a `jira.json` file (path is configurable) that defines the Jira instance and the routing rules:
517
+
518
+ ```json
519
+ {
520
+ "$schema": "./node_modules/@conterra/vuln-scan/dist/schema/jira-config-schema.json",
521
+ "jiraUrl": "https://myorg.atlassian.net",
522
+ "issues": [
523
+ {
524
+ "jiraProject": "PLATFORM",
525
+ "issueType": "CVE",
526
+ "issueLabels": ["security", "cve"],
527
+ "boardId": 12,
528
+ "assignToActiveSprint": true,
529
+ "reportProjects": [
530
+ "mapapps@*",
531
+ "smartfinder@4.*"
532
+ ]
533
+ },
534
+ {
535
+ "jiraProject": "OTHER",
536
+ "issueType": "Bug",
537
+ "reportProjects": ["*"]
538
+ }
539
+ ]
540
+ }
541
+ ```
542
+
543
+ | Field | Required | Description |
544
+ | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
545
+ | `jiraUrl` | ✓ | Base URL of the Jira instance |
546
+ | `issues` | ✓ | List of routing rules |
547
+ | `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
548
+ | `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
549
+ | `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
550
+ | `issues[].issueLabels` | – | Labels to attach to every created issue |
551
+ | `issues[].boardId` | – | Scrum board ID – needed to resolve the active sprint |
552
+ | `issues[].assignToActiveSprint` | – | When `true` and `boardId` is set, the issue is added to the currently active sprint. If no sprint is found or the API call fails the issue is still created without a sprint assignment. |
553
+
554
+ **Routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
555
+
556
+ ### CLI Usage
557
+
558
+ ```sh
559
+ $ ct-vuln-jira-report [options]
560
+ ```
561
+
562
+ ```
563
+ Options:
564
+ -c, --jira-config <path> Path to jira.json configuration file
565
+ (default: ./jira.json)
566
+ -s, --summary <path> Path to scan-summary.json produced by ct-vuln-scan
567
+ (default: ./output/scan-summary.json)
568
+ --dry-run Print what would be created without calling Jira
569
+ -h, --help Show help
570
+ ```
571
+
572
+ Examples:
573
+
574
+ ```sh
575
+ # Use defaults (./jira.json + ./output/scan-summary.json)
576
+ $ ct-vuln-jira-report
577
+
578
+ # Custom paths
579
+ $ ct-vuln-jira-report --jira-config ./config/jira.json --summary ./output/scan-summary.json
580
+
581
+ # Preview without creating issues
582
+ $ ct-vuln-jira-report --dry-run
583
+ ```
584
+
585
+ ### Issue Title Format
586
+
587
+ ```
588
+ [<SEVERITY>] <Vuln-Id>: <Vuln-Title>
589
+ ```
590
+
591
+ Example: `[HIGH] CVE-2024-0001: Remote code execution in foo-lib`
592
+
593
+ ### Issue Description Structure
594
+
595
+ Each created issue contains the following sections (in Jira ADF format):
596
+
597
+ | Section | Content |
598
+ | ------------------------ | --------------------------------------------------------- |
599
+ | **CVE Info** | Vulnerability description and dependency tree (ASCII art) |
600
+ | **Betroffene Artefakte** | List of affected component purls |
601
+ | **Gemeldete Produkte** | Scan projects matched by this routing rule |
602
+ | **Einwertung** | Placeholder for severity/impact assessment |
603
+ | **Betroffene Produkte** | Placeholder for final affected/not-affected determination |
604
+ | **Maßnahmen** | Placeholder for remediation steps |
605
+
473
606
  ## Dev Notes
474
607
 
475
608
  Setup: