@conterra/vuln-scan 0.0.36 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +38 -41
- package/dist/add-statement.js +120 -120
- package/dist/jira-reporter.js +7 -7
- package/dist/schema/jira-config-schema.json +32 -9
- package/dist/schema/summary-schema.json +12 -8
- package/dist/vuln-scan.js +292 -292
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -511,9 +511,9 @@ JIRA_API_TOKEN=<token> # Jira API token (https://id.atlassian.com/manage-p
|
|
|
511
511
|
|
|
512
512
|
NOTE: These variables can also be placed in a `.env` file in the working directory.
|
|
513
513
|
|
|
514
|
-
### Configuration – `jira.json`
|
|
514
|
+
### Configuration – `jira-conf.json`
|
|
515
515
|
|
|
516
|
-
Create a `jira.json` file (path is configurable) that defines the Jira instance and the routing rules:
|
|
516
|
+
Create a `jira-conf.json` file (path is configurable) that defines the Jira instance and the routing rules:
|
|
517
517
|
|
|
518
518
|
```json
|
|
519
519
|
{
|
|
@@ -523,9 +523,18 @@ Create a `jira.json` file (path is configurable) that defines the Jira instance
|
|
|
523
523
|
{
|
|
524
524
|
"jiraProject": "PLATFORM",
|
|
525
525
|
"issueType": "CVE",
|
|
526
|
-
"issueLabels": ["security"
|
|
527
|
-
"
|
|
528
|
-
|
|
526
|
+
"issueLabels": ["security"],
|
|
527
|
+
"addToBoard": [
|
|
528
|
+
{
|
|
529
|
+
"sprintBoardId": 10,
|
|
530
|
+
"issueLabels": ["team-a"],
|
|
531
|
+
"matchProjects": ["mapapps@*"]
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"issueLabels": ["team-b"],
|
|
535
|
+
"matchProjects": ["smartfinder@*"]
|
|
536
|
+
}
|
|
537
|
+
],
|
|
529
538
|
"reportProjects": [
|
|
530
539
|
"mapapps@*",
|
|
531
540
|
"smartfinder@4.*"
|
|
@@ -540,18 +549,27 @@ Create a `jira.json` file (path is configurable) that defines the Jira instance
|
|
|
540
549
|
}
|
|
541
550
|
```
|
|
542
551
|
|
|
543
|
-
| Field
|
|
544
|
-
|
|
|
545
|
-
| `jiraUrl`
|
|
546
|
-
| `issues`
|
|
547
|
-
| `issues[].jiraProject`
|
|
548
|
-
| `issues[].issueType`
|
|
549
|
-
| `issues[].reportProjects`
|
|
550
|
-
| `issues[].issueLabels`
|
|
551
|
-
| `issues[].
|
|
552
|
-
| `
|
|
552
|
+
| Field | Required | Description |
|
|
553
|
+
| ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
554
|
+
| `jiraUrl` | ✓ | Base URL of the Jira instance |
|
|
555
|
+
| `issues` | ✓ | List of routing rules |
|
|
556
|
+
| `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
|
|
557
|
+
| `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
|
|
558
|
+
| `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
|
|
559
|
+
| `issues[].issueLabels` | – | Global labels attached to every issue created by this rule, merged with any labels from `addToBoard` entries |
|
|
560
|
+
| `issues[].addToBoard` | – | Per-board routing rules (see table below). Enables Scrum sprint assignment and/or Kanban label routing |
|
|
561
|
+
| `addToBoard[].sprintBoardId` | – | Scrum board ID. When set, the issue is assigned to the currently active sprint of that board via `customfield_10020`. Omit for Kanban boards. |
|
|
562
|
+
| `addToBoard[].issueLabels` | – | Labels contributed by this board entry (see routing rules below) |
|
|
563
|
+
| `addToBoard[].matchProjects` | – | Glob patterns to activate this entry. Defaults to `["*"]` (matches any project) |
|
|
564
|
+
|
|
565
|
+
**`addToBoard` routing rules:**
|
|
553
566
|
|
|
554
|
-
|
|
567
|
+
- Each entry in `addToBoard` is checked: its `matchProjects` patterns are tested against the scan projects affected by the current vulnerability. If none match, the entry is skipped.
|
|
568
|
+
- **Scrum (sprintBoardId set):** The **first** matching entry with a `sprintBoardId` claims the sprint. All subsequent matching sprint entries – including their labels – are ignored. This avoids ambiguous multi-sprint assignments, which Jira does not support.
|
|
569
|
+
- **Kanban (no sprintBoardId):** Matching entries always contribute their labels. This allows issues to appear on Kanban boards that filter by label.
|
|
570
|
+
- The final label set on the created issue is: `issueLabels` (top-level) + labels from the winning sprint entry (if any) + labels from all matching Kanban entries.
|
|
571
|
+
|
|
572
|
+
**`reportProjects` routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
|
|
555
573
|
|
|
556
574
|
### CLI Usage
|
|
557
575
|
|
|
@@ -561,8 +579,8 @@ $ ct-vuln-jira-report [options]
|
|
|
561
579
|
|
|
562
580
|
```
|
|
563
581
|
Options:
|
|
564
|
-
-c, --jira-config <path> Path to jira.json configuration file
|
|
565
|
-
(default: ./jira.json)
|
|
582
|
+
-c, --jira-config <path> Path to jira-conf.json configuration file
|
|
583
|
+
(default: ./jira-conf.json)
|
|
566
584
|
-s, --summary <path> Path to scan-summary.json produced by ct-vuln-scan
|
|
567
585
|
(default: ./output/scan-summary.json)
|
|
568
586
|
--dry-run Print what would be created without calling Jira
|
|
@@ -572,37 +590,16 @@ Options:
|
|
|
572
590
|
Examples:
|
|
573
591
|
|
|
574
592
|
```sh
|
|
575
|
-
# Use defaults (./jira.json + ./output/scan-summary.json)
|
|
593
|
+
# Use defaults (./jira-conf.json + ./output/scan-summary.json)
|
|
576
594
|
$ ct-vuln-jira-report
|
|
577
595
|
|
|
578
596
|
# Custom paths
|
|
579
|
-
$ ct-vuln-jira-report --jira-config ./config/jira.json --summary ./output/scan-summary.json
|
|
597
|
+
$ ct-vuln-jira-report --jira-config ./config/jira-conf.json --summary ./output/scan-summary.json
|
|
580
598
|
|
|
581
599
|
# Preview without creating issues
|
|
582
600
|
$ ct-vuln-jira-report --dry-run
|
|
583
601
|
```
|
|
584
602
|
|
|
585
|
-
### Issue Title Format
|
|
586
|
-
|
|
587
|
-
```
|
|
588
|
-
[<SEVERITY>] <Vuln-Id>: <Vuln-Title>
|
|
589
|
-
```
|
|
590
|
-
|
|
591
|
-
Example: `[HIGH] CVE-2024-0001: Remote code execution in foo-lib`
|
|
592
|
-
|
|
593
|
-
### Issue Description Structure
|
|
594
|
-
|
|
595
|
-
Each created issue contains the following sections (in Jira ADF format):
|
|
596
|
-
|
|
597
|
-
| Section | Content |
|
|
598
|
-
| ------------------------ | --------------------------------------------------------- |
|
|
599
|
-
| **CVE Info** | Vulnerability description and dependency tree (ASCII art) |
|
|
600
|
-
| **Betroffene Artefakte** | List of affected component purls |
|
|
601
|
-
| **Gemeldete Produkte** | Scan projects matched by this routing rule |
|
|
602
|
-
| **Einwertung** | Placeholder for severity/impact assessment |
|
|
603
|
-
| **Betroffene Produkte** | Placeholder for final affected/not-affected determination |
|
|
604
|
-
| **Maßnahmen** | Placeholder for remediation steps |
|
|
605
|
-
|
|
606
603
|
## Dev Notes
|
|
607
604
|
|
|
608
605
|
Setup:
|