@conterra/vuln-scan 0.0.35 → 0.0.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +114 -0
- package/dist/add-project.js +453 -456
- package/dist/add-statement.js +454 -457
- package/dist/jira-reporter.js +19 -0
- package/dist/remove-project.js +434 -437
- package/dist/schema/jira-config-schema.json +71 -0
- package/dist/schema/summary-schema.json +152 -0
- package/package.json +8 -7
package/README.md
CHANGED
|
@@ -52,6 +52,10 @@ After that you have following commands available:
|
|
|
52
52
|
- `ct-vuln-add-project-to-vex`
|
|
53
53
|
- Update vex files to include a new project version. The project is added to each vex file that references the existing project version given.
|
|
54
54
|
- This step is already included in the `ct-vuln-add-project` command, but it can be run separately to update the vex files for an already existing project entry in the configuration file.
|
|
55
|
+
- `ct-vuln-jira-report`
|
|
56
|
+
- Reads a `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for newly detected vulnerabilities.
|
|
57
|
+
- Issues are only created when no existing issue with the same vulnerability ID already exists in the target Jira project.
|
|
58
|
+
- Routing rules in a `jira.json` file control which scan projects are reported to which Jira projects.
|
|
55
59
|
|
|
56
60
|
### Vulnerability scan
|
|
57
61
|
|
|
@@ -489,6 +493,116 @@ $ ct-vuln-remove-project mapapps 4.18.3-SNAPSHOT
|
|
|
489
493
|
$ ct-vuln-add-project mapapps 4.18.3 4.18.4-SNAPSHOT
|
|
490
494
|
```
|
|
491
495
|
|
|
496
|
+
## Usage - Jira Report
|
|
497
|
+
|
|
498
|
+
The `ct-vuln-jira-report` command reads the `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for every new vulnerability that has not already been reported.
|
|
499
|
+
|
|
500
|
+
For each vulnerability the tool:
|
|
501
|
+
1. Checks (via JQL) whether an issue with the same vulnerability ID already exists in the target Jira project.
|
|
502
|
+
2. If not, creates a new issue with a structured description including CVE details, affected artefacts, affected products, and placeholder sections for assessment and remediation.
|
|
503
|
+
|
|
504
|
+
### Environment Variables
|
|
505
|
+
|
|
506
|
+
```bash
|
|
507
|
+
# Required
|
|
508
|
+
JIRA_USER=user@example.com # Jira account e-mail address
|
|
509
|
+
JIRA_API_TOKEN=<token> # Jira API token (https://id.atlassian.com/manage-profile/security/api-tokens)
|
|
510
|
+
```
|
|
511
|
+
|
|
512
|
+
NOTE: These variables can also be placed in a `.env` file in the working directory.
|
|
513
|
+
|
|
514
|
+
### Configuration – `jira.json`
|
|
515
|
+
|
|
516
|
+
Create a `jira.json` file (path is configurable) that defines the Jira instance and the routing rules:
|
|
517
|
+
|
|
518
|
+
```json
|
|
519
|
+
{
|
|
520
|
+
"$schema": "./node_modules/@conterra/vuln-scan/dist/schema/jira-config-schema.json",
|
|
521
|
+
"jiraUrl": "https://myorg.atlassian.net",
|
|
522
|
+
"issues": [
|
|
523
|
+
{
|
|
524
|
+
"jiraProject": "PLATFORM",
|
|
525
|
+
"issueType": "CVE",
|
|
526
|
+
"issueLabels": ["security", "cve"],
|
|
527
|
+
"boardId": 12,
|
|
528
|
+
"assignToActiveSprint": true,
|
|
529
|
+
"reportProjects": [
|
|
530
|
+
"mapapps@*",
|
|
531
|
+
"smartfinder@4.*"
|
|
532
|
+
]
|
|
533
|
+
},
|
|
534
|
+
{
|
|
535
|
+
"jiraProject": "OTHER",
|
|
536
|
+
"issueType": "Bug",
|
|
537
|
+
"reportProjects": ["*"]
|
|
538
|
+
}
|
|
539
|
+
]
|
|
540
|
+
}
|
|
541
|
+
```
|
|
542
|
+
|
|
543
|
+
| Field | Required | Description |
|
|
544
|
+
| ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
545
|
+
| `jiraUrl` | ✓ | Base URL of the Jira instance |
|
|
546
|
+
| `issues` | ✓ | List of routing rules |
|
|
547
|
+
| `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
|
|
548
|
+
| `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
|
|
549
|
+
| `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
|
|
550
|
+
| `issues[].issueLabels` | – | Labels to attach to every created issue |
|
|
551
|
+
| `issues[].boardId` | – | Scrum board ID – needed to resolve the active sprint |
|
|
552
|
+
| `issues[].assignToActiveSprint` | – | When `true` and `boardId` is set, the issue is added to the currently active sprint. If no sprint is found or the API call fails the issue is still created without a sprint assignment. |
|
|
553
|
+
|
|
554
|
+
**Routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
|
|
555
|
+
|
|
556
|
+
### CLI Usage
|
|
557
|
+
|
|
558
|
+
```sh
|
|
559
|
+
$ ct-vuln-jira-report [options]
|
|
560
|
+
```
|
|
561
|
+
|
|
562
|
+
```
|
|
563
|
+
Options:
|
|
564
|
+
-c, --jira-config <path> Path to jira.json configuration file
|
|
565
|
+
(default: ./jira.json)
|
|
566
|
+
-s, --summary <path> Path to scan-summary.json produced by ct-vuln-scan
|
|
567
|
+
(default: ./output/scan-summary.json)
|
|
568
|
+
--dry-run Print what would be created without calling Jira
|
|
569
|
+
-h, --help Show help
|
|
570
|
+
```
|
|
571
|
+
|
|
572
|
+
Examples:
|
|
573
|
+
|
|
574
|
+
```sh
|
|
575
|
+
# Use defaults (./jira.json + ./output/scan-summary.json)
|
|
576
|
+
$ ct-vuln-jira-report
|
|
577
|
+
|
|
578
|
+
# Custom paths
|
|
579
|
+
$ ct-vuln-jira-report --jira-config ./config/jira.json --summary ./output/scan-summary.json
|
|
580
|
+
|
|
581
|
+
# Preview without creating issues
|
|
582
|
+
$ ct-vuln-jira-report --dry-run
|
|
583
|
+
```
|
|
584
|
+
|
|
585
|
+
### Issue Title Format
|
|
586
|
+
|
|
587
|
+
```
|
|
588
|
+
[<SEVERITY>] <Vuln-Id>: <Vuln-Title>
|
|
589
|
+
```
|
|
590
|
+
|
|
591
|
+
Example: `[HIGH] CVE-2024-0001: Remote code execution in foo-lib`
|
|
592
|
+
|
|
593
|
+
### Issue Description Structure
|
|
594
|
+
|
|
595
|
+
Each created issue contains the following sections (in Jira ADF format):
|
|
596
|
+
|
|
597
|
+
| Section | Content |
|
|
598
|
+
| ------------------------ | --------------------------------------------------------- |
|
|
599
|
+
| **CVE Info** | Vulnerability description and dependency tree (ASCII art) |
|
|
600
|
+
| **Betroffene Artefakte** | List of affected component purls |
|
|
601
|
+
| **Gemeldete Produkte** | Scan projects matched by this routing rule |
|
|
602
|
+
| **Einwertung** | Placeholder for severity/impact assessment |
|
|
603
|
+
| **Betroffene Produkte** | Placeholder for final affected/not-affected determination |
|
|
604
|
+
| **Maßnahmen** | Placeholder for remediation steps |
|
|
605
|
+
|
|
492
606
|
## Dev Notes
|
|
493
607
|
|
|
494
608
|
Setup:
|