Create a Jira Configuration Profile

JFrog Security Documentation

Products
JFrog Xray
Content Type
User Guide
ft:sourceType
Paligo

After completing the connection between Jira and Xray, you need to create a Jira Configuration profile. As there are different Jira projects for different teams, the configuration profile enables you to define specific criteria for the issued Jira ticket per Jira project, such as labels and custom mappings defined in the Jira project.

Note

Xray supports the below field types of Jira if you have any other type as a required field, these issue types will not appear in the “Issue Type” list of the profile configuration page

  • Short Text

  • Paragraph (Xray does not support rich text)

  • Drop Down

  • Check Box / Check Boxes

  • Labels

  • Number

  • Radio Buttons

  • Select List (multiple choices)

  • Select List (single choice)

image-20240307-075322.png

Macros

Xray provides a list of Macros, which you can map to your Custom Fields or Labels of the Jira Project. We would resolve these Macros for a violation and assign appropriate values to the custom fields as part of the ticket creation.Here are the available macros:

  • Impacted Artifact         

  • Impacted Component

  • Package Type

  • Vulnerability ID

  • Violation Type

  • Severity

  • Severity Source

  • JFrog Research Severity

  • CVE

  • CVSS V2 Vector

  • CVSS V2 Score

  • CVSS V3 Vector

  • CVSS V3 Score

  • CVSS V2 Access Complexity

  • CVSS V2 Attack Vector

  • CVSS V3 Attack Complexity

  • CVSS V3 Attack Vector

  • Fix Version

  • Watch Name

  • Policy Name

  • Triggered Rule

  • Component License ID

  • Fix Version Available?

  • CVE Applicable

  • Exposure Fix Cost

Example:

Consider you have a Jira Project called “Xray” and would like to configure the “Security” issue type as a profile and create tickets under it for any violations.  Here are the steps you would follow:

  1. The issue type “Security” is configured as below.

    jira_security.png
  2. Note the custom field “Severity” added to the context fields.  “Severity” has the below configuration.

    jira_custom.png
  3. Now, while creating the profile, you select “Xray” as the project type and “Security” as the issue type. Xray automatically lists all the required mandatory fields; in this case, you can see “Severity” listed here.

    jira_mandatory.png
  4. In “Severity”, you will see two types of options to select: “Dynamic Value” and “Static Value.” These are the options to select an Xray Macro or one of the options you have set in the Jira Custom Field Configurations. Xray displays the most suitable macros based on your custom field configuration.

    jira_severity.png
  5. Assign the Xray macro “Severity” to the Jira custom field; as soon you do this, you will see a popup prompting you to provide a default value. When you map a macro to a mandatory custom field, we need a default value, which we will use while creating the ticket. For example, when a CVE is reported, there may not be a Severity in this case. What would you want to see in the Jira ticket?

    jira_dynamicvalue.png
  6. You may also want to add a “Label” when Xray creates a ticket. Label is an optional field during ticket generation, you must add that to the profile before editing it.  Click “Add Optional Fields” and add Labels to the profile page.

    jira_customfield.png
  7. You could select one of the Xray Macros or type in a static text or both. Note that white spaces are not allowed in Jira Labels, these will be replaced by _ (underscores)  in the Jira ticket.

    jira_labels.png
  8. To validate your configurations, try “Creating a test ticket.”

    jira_validation.png
  9. Save your profile.