Skip to content

This is a feature that allows you to send vulnerabilities from Faraday to JIRA. Through this process you will see how to

JIRA's Configuration

Follow the instructions based on you JIRA Instance (On-prem or Cloud)

JIRA On Prem Software Configuration

Copy your instance URL and Project Key from your JIRA instance information:

JIRA Cloud

Copy your JIRA Instance URL and Project Key information:

URL (example): https://example.atlassian.net/

Project Key (example): FARADAYKEY

we need to activate OAuth Authentication:

Inside your JIRA Cloud click on the gear icon at the top-right corner (left side of your profile icon) and click on

Products, then, on the left-side bar, click on Application links

On the input bar at JIRA, enter your Faraday's URL (example: http://localhost:5985)

If this message appears and the URL is correct, just click Continue

Fill the application fields, in this case, Faraday as the Application Name, you must select the option

Generic Application as the Application Typeand Mark the option Create incoming link. Then, click Continue.

Now, you will need to create a:

Consumer Key: you should copy and save this for after configuration at Faraday.

  • Consumer Name: In this case, we use Faraday.

  • Public Key: Following the Jira configure flow, at the end there is a generate key button.

    -----BEGIN PUBLIC KEY-----
    9YxXl4D/aL/iE94MsUc9t3FFoNCP97Sfel7o+1q5YOF79qlKGbP3mXgbel/LUaSj
    Vd91dnpg1OS1PH0p6YMDsCQfXSVBpC2OUY2hDkEwPUT/OKeAq+XE5sqEqoUeDdrS
    OOWVuEYlWZl6ghS2TABFN5VXPgWg30Ne4L0nlDqJh2BD7RACa+Wpzbr2b/HmIxSf
    WOj6mu7eK7Vx38CyrnOci8u59Mv/IXsEppU6nGgMZ7/Hw1ojaeSn0W6wF0Wsk3EG
    RY/wYngdCYQEQx0rDnannBnP6EuYaqwBtNjcPpp9zvsZt+d1qmOWbii4rbqfY4BR
    n42R05zamkSNqbwdoQ1JDyv90D6lrG+JLq/BjHaIJlAhnDIWfX6DtqgUOD3VUQfC
    GQvvguRA
    -----END PUBLIC KEY-----
    
    Just copy and paste it inside your Public Key field at JIRA.

Then, click Continue to generate the application.

If everything is Ok, you should see this screen:

Faraday authenticates to Jira using OAuth 1.0

Begin authentication

Once you’ve created the Application Link, go to Faraday’s Settings and select the Ticketing Tools section.

Once there, select JIRA and you will see a slide button near to OAuth Authentication click it.

Wait a few seconds (it may take a while if you have many projects and users in jira)

Authorize the Oauth and hit ok in the button of jira oauth.

Faraday's Configuration

Login into Faraday's Web UI and go to Setting clicking on your username in the top right corner:

Inside Settings, navigate to Ticketing Tools and Select JIRA from the dropdown menu:

JIRA Configuration

Inside the ticketing tool at Faraday, paste your instance URL and Project Key, then, add your Consumer Key

into the OAuth Authentication field, after this, click the round button to authenticate!

You should see this, click on Redirect to JIRA, once on JIRA website, click on Allow and wait until receive an Access Approved message, once received, close the tab.

Once in Faraday, click on Ok.

Configure jira users in faraday

Inside Preferences, navigate to Ticketing Tools and Select JIRA:

Search Jira users from the Assign Users box and hit enter:

If the user is added correctly, then the user will be allowed to be reporter in the "reporters" field.

User added correctly!

Send vulnerability to JIRA

Navigate to the Manage > Vulns view inside Faraday's Web UI

To send vulnerabilities to JIRA, select the desired vulnerabilities, click on the Tools button at the top-right corner and then click on JIRA.

Click on the dropdown menu Add columns and add the issuetracker column.

Now, select the vulnerability you want to export and click on Tools > JIRA

Keep in mind that only confirmed vulnerabilities can be sent.

Once the JIRA dialog opens, you have two options:

You can use the default data saved in the Ticketing Tools section of Settings (see Save JIRA's Configuration for more information):

You can overwrite JIRA default data by clicking on the checkbox button and then manually input your JIRA credentials. Then click OK:

If you overwrite only one field, Faraday will fill the others fields with the default data. E.g: if you overwrite Project Key, Faraday

will fill URL field with the information you have saved in Settings.

You should see the word JIRA appearing on the issuetracker column at your vuln, you can click on it to

see the issue that has been created on JIRA!

In Jira

Template The template is preloaded in description but you can use the fields described in our jinja2 context

doc Link

The template's name where you'll define the issue's description. You can call any attribute of the vulnerability object

using Jinja2 syntax. E.g., if you want your issue in JIRA to have as description the target, the hostnames,

and the severity of the vulnerability, the template would be as follows:

{# This is a Template for Faraday Jira Integration #}
{# Pre-Flight Adjustments #}
{% set issuetracker_config = 'jira' %}
{% set http_size_config = 4096 %}
{% if 'med' in vuln.severity %}
{% set corrected_severity = 'Medium' %}
{% else %}
{% set corrected_severity = vuln.severity %}
{% endif %}
{# Issue template structure should go under this comment #}
{% if 'VulnerabilityWeb' in vuln.type %}
# [{{ corrected_severity | capitalize}}] {{vuln.name}} - ({{vuln.path}})
{% else %}
# [{{ corrected_severity | capitalize}}] {{vuln.name}}
{% endif %}
## Description
{{ vuln.desc }}
#### This issue has been rated as: `{{ corrected_severity | capitalize }}`
Affected Asset: {{vuln.target}}
{%  if vuln.website %}
Affected URL: {{ vuln.website }}{{ vuln.path }}
{% endif %}
{% if vuln.hostnames %}
#### Hostnames
{% for hostname in vuln.hostnames %}
- {{hostname}}
{% endfor %}
{% endif %}
## Recommendations
{{ vuln.resolution }}
{%for ref in vuln.refs%}
- {{ref}}
{%endfor%}
{%if vuln.easeofresolution%}
#### Estimated ease of resolution
{{ vuln.easeofresolution | capitalize }}
{%endif%}
### Technical Details
{%if vuln.data%}
#### Proof of Concept
{{vuln.data}}
{%endif%}
{%if vuln.request%}
#### Request

{{vuln.request|truncate(http_size_config, False, '...', 0) }}

{%endif%}
{% if vuln.response %}
#### Response

{{ vuln.response|truncate(http_size_config, False, '...', 0) }}

{%endif%}
## Issue [{{ vuln.id }}] {{vuln.name}} [{{vuln.status}}]
{# A vulnerability might be associated with more tha one issuetracker id #}
{% for key, value in vuln.issuetracker_json.items() %}
{% if issuetracker_config in key%}
This issue has already been reported in this platform:
- {{ key | capitalize}}
{% for line in value %}
- Issue: {{line.url}}
{% endfor %}
{% endif %}
source: created by {{vuln.owner or "faraday"}} using {{vuln.tool}} - {{vuln.external_id}} - {{vuln.date}}
{% endfor %}
{# end of file #}

You can also link an issue to an Epic. To do so, look after the custom field Epic Link of your instance and add

it to your issue’s configuration (just as the example above). Once you add it, you need to type in the input field the issue keys of the epic.