@conterra/vuln-scan 0.0.36 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -511,9 +511,9 @@ JIRA_API_TOKEN=<token> # Jira API token (https://id.atlassian.com/manage-p
511
511
 
512
512
  NOTE: These variables can also be placed in a `.env` file in the working directory.
513
513
 
514
- ### Configuration – `jira.json`
514
+ ### Configuration – `jira-conf.json`
515
515
 
516
- Create a `jira.json` file (path is configurable) that defines the Jira instance and the routing rules:
516
+ Create a `jira-conf.json` file (path is configurable) that defines the Jira instance and the routing rules:
517
517
 
518
518
  ```json
519
519
  {
@@ -523,9 +523,18 @@ Create a `jira.json` file (path is configurable) that defines the Jira instance
523
523
  {
524
524
  "jiraProject": "PLATFORM",
525
525
  "issueType": "CVE",
526
- "issueLabels": ["security", "cve"],
527
- "boardId": 12,
528
- "assignToActiveSprint": true,
526
+ "issueLabels": ["security"],
527
+ "addToBoard": [
528
+ {
529
+ "sprintBoardId": 10,
530
+ "issueLabels": ["team-a"],
531
+ "matchProjects": ["mapapps@*"]
532
+ },
533
+ {
534
+ "issueLabels": ["team-b"],
535
+ "matchProjects": ["smartfinder@*"]
536
+ }
537
+ ],
529
538
  "reportProjects": [
530
539
  "mapapps@*",
531
540
  "smartfinder@4.*"
@@ -540,18 +549,27 @@ Create a `jira.json` file (path is configurable) that defines the Jira instance
540
549
  }
541
550
  ```
542
551
 
543
- | Field | Required | Description |
544
- | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
545
- | `jiraUrl` | ✓ | Base URL of the Jira instance |
546
- | `issues` | ✓ | List of routing rules |
547
- | `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
548
- | `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
549
- | `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
550
- | `issues[].issueLabels` | – | Labels to attach to every created issue |
551
- | `issues[].boardId` | – | Scrum board ID needed to resolve the active sprint |
552
- | `issues[].assignToActiveSprint` | – | When `true` and `boardId` is set, the issue is added to the currently active sprint. If no sprint is found or the API call fails the issue is still created without a sprint assignment. |
552
+ | Field | Required | Description |
553
+ | ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
554
+ | `jiraUrl` | ✓ | Base URL of the Jira instance |
555
+ | `issues` | ✓ | List of routing rules |
556
+ | `issues[].jiraProject` | ✓ | Jira project key, e.g. `PLATFORM` |
557
+ | `issues[].issueType` | ✓ | Jira issue type name, e.g. `Bug`, `CVE` |
558
+ | `issues[].reportProjects` | ✓ | Glob patterns (`*` wildcard) for scan project identifiers (`name@version`) |
559
+ | `issues[].issueLabels` | – | Global labels attached to every issue created by this rule, merged with any labels from `addToBoard` entries |
560
+ | `issues[].addToBoard` | – | Per-board routing rules (see table below). Enables Scrum sprint assignment and/or Kanban label routing |
561
+ | `addToBoard[].sprintBoardId` | – | Scrum board ID. When set, the issue is assigned to the currently active sprint of that board via `customfield_10020`. Omit for Kanban boards. |
562
+ | `addToBoard[].issueLabels` | – | Labels contributed by this board entry (see routing rules below) |
563
+ | `addToBoard[].matchProjects` | – | Glob patterns to activate this entry. Defaults to `["*"]` (matches any project) |
564
+
565
+ **`addToBoard` routing rules:**
553
566
 
554
- **Routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
567
+ - Each entry in `addToBoard` is checked: its `matchProjects` patterns are tested against the scan projects affected by the current vulnerability. If none match, the entry is skipped.
568
+ - **Scrum (sprintBoardId set):** The **first** matching entry with a `sprintBoardId` claims the sprint. All subsequent matching sprint entries – including their labels – are ignored. This avoids ambiguous multi-sprint assignments, which Jira does not support.
569
+ - **Kanban (no sprintBoardId):** Matching entries always contribute their labels. This allows issues to appear on Kanban boards that filter by label.
570
+ - The final label set on the created issue is: `issueLabels` (top-level) + labels from the winning sprint entry (if any) + labels from all matching Kanban entries.
571
+
572
+ **`reportProjects` routing:** The `reportProjects` patterns are matched against each scan project identifier (`name@version`). The `*` wildcard matches any sequence of characters. Each routing rule is evaluated independently, so a vulnerability can be reported to multiple Jira projects. Rules that match no project are silently skipped.
555
573
 
556
574
  ### CLI Usage
557
575
 
@@ -561,8 +579,8 @@ $ ct-vuln-jira-report [options]
561
579
 
562
580
  ```
563
581
  Options:
564
- -c, --jira-config <path> Path to jira.json configuration file
565
- (default: ./jira.json)
582
+ -c, --jira-config <path> Path to jira-conf.json configuration file
583
+ (default: ./jira-conf.json)
566
584
  -s, --summary <path> Path to scan-summary.json produced by ct-vuln-scan
567
585
  (default: ./output/scan-summary.json)
568
586
  --dry-run Print what would be created without calling Jira
@@ -572,37 +590,16 @@ Options:
572
590
  Examples:
573
591
 
574
592
  ```sh
575
- # Use defaults (./jira.json + ./output/scan-summary.json)
593
+ # Use defaults (./jira-conf.json + ./output/scan-summary.json)
576
594
  $ ct-vuln-jira-report
577
595
 
578
596
  # Custom paths
579
- $ ct-vuln-jira-report --jira-config ./config/jira.json --summary ./output/scan-summary.json
597
+ $ ct-vuln-jira-report --jira-config ./config/jira-conf.json --summary ./output/scan-summary.json
580
598
 
581
599
  # Preview without creating issues
582
600
  $ ct-vuln-jira-report --dry-run
583
601
  ```
584
602
 
585
- ### Issue Title Format
586
-
587
- ```
588
- [<SEVERITY>] <Vuln-Id>: <Vuln-Title>
589
- ```
590
-
591
- Example: `[HIGH] CVE-2024-0001: Remote code execution in foo-lib`
592
-
593
- ### Issue Description Structure
594
-
595
- Each created issue contains the following sections (in Jira ADF format):
596
-
597
- | Section | Content |
598
- | ------------------------ | --------------------------------------------------------- |
599
- | **CVE Info** | Vulnerability description and dependency tree (ASCII art) |
600
- | **Betroffene Artefakte** | List of affected component purls |
601
- | **Gemeldete Produkte** | Scan projects matched by this routing rule |
602
- | **Einwertung** | Placeholder for severity/impact assessment |
603
- | **Betroffene Produkte** | Placeholder for final affected/not-affected determination |
604
- | **Maßnahmen** | Placeholder for remediation steps |
605
-
606
603
  ## Dev Notes
607
604
 
608
605
  Setup: