@conterra/vuln-scan 0.0.35 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +111 -0
- package/dist/add-project.js +453 -456
- package/dist/add-statement.js +454 -457
- package/dist/jira-reporter.js +19 -0
- package/dist/remove-project.js +434 -437
- package/dist/schema/jira-config-schema.json +94 -0
- package/dist/schema/summary-schema.json +156 -0
- package/dist/vuln-scan.js +156 -156
- package/package.json +8 -7
package/README.md
CHANGED
|
@@ -52,6 +52,10 @@ After that you have following commands available:
|
|
|
52
52
|
- `ct-vuln-add-project-to-vex`
|
|
53
53
|
- Update vex files to include a new project version. The project is added to each vex file that references the existing project version given.
|
|
54
54
|
- This step is already included in the `ct-vuln-add-project` command, but it can be run separately to update the vex files for an already existing project entry in the configuration file.
|
|
55
|
+
- `ct-vuln-jira-report`
|
|
56
|
+
- Reads a `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for newly detected vulnerabilities.
|
|
57
|
+
- Issues are only created when no existing issue with the same vulnerability ID already exists in the target Jira project.
|
|
58
|
+
- Routing rules in a `jira.json` file control which scan projects are reported to which Jira projects.
|
|
55
59
|
|
|
56
60
|
### Vulnerability scan
|
|
57
61
|
|
|
@@ -489,6 +493,113 @@ $ ct-vuln-remove-project mapapps 4.18.3-SNAPSHOT
|
|
|
489
493
|
$ ct-vuln-add-project mapapps 4.18.3 4.18.4-SNAPSHOT
|
|
490
494
|
```
|
|
491
495
|
|
|
496
|
+
## Usage - Jira Report
|
|
497
|
+
|
|
498
|
+
The `ct-vuln-jira-report` command reads the `scan-summary.json` produced by `ct-vuln-scan` and creates Jira issues for every new vulnerability that has not already been reported.
|
|
499
|
+
|
|
500
|
+
For each vulnerability the tool:
|
|
501
|
+
1. Checks (via JQL) whether an issue with the same vulnerability ID already exists in the target Jira project.
|
|
502
|
+
2. If not, creates a new issue with a structured description including CVE details, affected artefacts, affected products, and placeholder sections for assessment and remediation.
|
|
503
|
+
|
|
504
|
+
### Environment Variables
|
|
505
|
+
|
|
506
|
+
```bash
|
|
507
|
+
# Required
|
|
508
|
+
JIRA_USER=user@example.com # Jira account e-mail address
|
|
509
|
+
JIRA_API_TOKEN=<token> # Jira API token (https://id.atlassian.com/manage-profile/security/api-tokens)
|
|
510
|
+
```
|
|
511
|
+
|
|
512
|
+
NOTE: These variables can also be placed in a `.env` file in the working directory.
|
|
513
|
+
|
|
514
|
+
### Configuration – `jira-conf.json`
|
|
515
|
+
|
|
516
|
+
Create a `jira-conf.json` file (path is configurable) that defines the Jira instance and the routing rules:
|
|
517
|
+
|
|
518
|
+
```json
|
|
519
|
+
{
|
|
520
|
+
"$schema": "./node_modules/@conterra/vuln-scan/dist/schema/jira-config-schema.json",
|
|
521
|
+
"jiraUrl": "https://myorg.atlassian.net",
|
|
522
|
+
"issues": [
|
|
523
|
+
{
|
|
524
|
+
"jiraProject": "PLATFORM",
|
|
525
|
+
"issueType": "CVE",
|
|
526
|
+
"issueLabels": ["security"],
|
|
527
|
+
"addToBoard": [
|
|
528
|
+
{
|
|
529
|
+
"sprintBoardId": 10,
|
|
530
|
+
"issueLabels": ["team-a"],
|
|
531
|
+
"matchProjects": ["mapapps@*"]
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"issueLabels": ["team-b"],
|
|
535
|
+
"matchProjects": ["smartfinder@*"]
|
|
536
|
+
}
|
|
537
|
+
],
|
|
538
|
+
"reportProjects": [
|
|
539
|
+
"mapapps@*",
|
|
540
|
+
"smartfinder@4.*"
|
|
541
|
+
]
|
|
542
|
+
},
|
|
543
|
+
{
|
|
544
|
+
"jiraProject": "OTHER",
|
|
545
|
+
"issueType": "Bug",
|
|
546
|
+
"reportProjects": ["*"]
|
|
547
|
+
}
|
|
548
|
+
]
|
|
549
|
+
}
|
|
550
|
+
```
|
|
551
|
+
|
|
552
|
+
| Field | Required | Description |
|
|
553
|
+
| ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
554
|
+
| `jiraUrl` | ✓ | Base URL of the Jira instance |
|
|
555
|
+
| `issues` | ✓ | List of routing rules |
|
|
556
|
+
| `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
|
|
557
|
+
| `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
|
|
558
|
+
| `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
|
|
559
|
+
| `issues[].issueLabels` | – | Global labels attached to every issue created by this rule, merged with any labels from `addToBoard` entries |
|
|
560
|
+
| `issues[].addToBoard` | – | Per-board routing rules (see table below). Enables Scrum sprint assignment and/or Kanban label routing |
|
|
561
|
+
| `addToBoard[].sprintBoardId` | – | Scrum board ID. When set, the issue is assigned to the currently active sprint of that board via `customfield_10020`. Omit for Kanban boards. |
|
|
562
|
+
| `addToBoard[].issueLabels` | – | Labels contributed by this board entry (see routing rules below) |
|
|
563
|
+
| `addToBoard[].matchProjects` | – | Glob patterns to activate this entry. Defaults to `["*"]` (matches any project) |
|
|
564
|
+
|
|
565
|
+
**`addToBoard` routing rules:**
|
|
566
|
+
|
|
567
|
+
- Each entry in `addToBoard` is checked: its `matchProjects` patterns are tested against the scan projects affected by the current vulnerability. If none match, the entry is skipped.
|
|
568
|
+
- **Scrum (sprintBoardId set):** The **first** matching entry with a `sprintBoardId` claims the sprint. All subsequent matching sprint entries – including their labels – are ignored. This avoids ambiguous multi-sprint assignments, which Jira does not support.
|
|
569
|
+
- **Kanban (no sprintBoardId):** Matching entries always contribute their labels. This allows issues to appear on Kanban boards that filter by label.
|
|
570
|
+
- The final label set on the created issue is: `issueLabels` (top-level) + labels from the winning sprint entry (if any) + labels from all matching Kanban entries.
|
|
571
|
+
|
|
572
|
+
**`reportProjects` routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
|
|
573
|
+
|
|
574
|
+
### CLI Usage
|
|
575
|
+
|
|
576
|
+
```sh
|
|
577
|
+
$ ct-vuln-jira-report [options]
|
|
578
|
+
```
|
|
579
|
+
|
|
580
|
+
```
|
|
581
|
+
Options:
|
|
582
|
+
-c, --jira-config <path> Path to jira-conf.json configuration file
|
|
583
|
+
(default: ./jira-conf.json)
|
|
584
|
+
-s, --summary <path> Path to scan-summary.json produced by ct-vuln-scan
|
|
585
|
+
(default: ./output/scan-summary.json)
|
|
586
|
+
--dry-run Print what would be created without calling Jira
|
|
587
|
+
-h, --help Show help
|
|
588
|
+
```
|
|
589
|
+
|
|
590
|
+
Examples:
|
|
591
|
+
|
|
592
|
+
```sh
|
|
593
|
+
# Use defaults (./jira-conf.json + ./output/scan-summary.json)
|
|
594
|
+
$ ct-vuln-jira-report
|
|
595
|
+
|
|
596
|
+
# Custom paths
|
|
597
|
+
$ ct-vuln-jira-report --jira-config ./config/jira-conf.json --summary ./output/scan-summary.json
|
|
598
|
+
|
|
599
|
+
# Preview without creating issues
|
|
600
|
+
$ ct-vuln-jira-report --dry-run
|
|
601
|
+
```
|
|
602
|
+
|
|
492
603
|
## Dev Notes
|
|
493
604
|
|
|
494
605
|
Setup:
|