Skip to content

Jira

This is a feature that allows you to send vulnerabilities from Faraday to JIRA. Through this process you will see how to

JIRA's Configuration

1. Follow the instructions based on you JIRA Instance (On-prem or Cloud)

Copy your instance URL and Project Key from your JIRA instance information:

URL (example): https://localhost:8080/

Project Key (example): FARADAYPRO

template : choose a template from the dropdown menu (templates should be inside Faraday's Server at /home/faraday/.faraday/integrations_templates/)

Click here to download an example template.

Copy your JIRA Instance URL and Project Key information:

URL (example): https://example.atlassian.net/

Project Key (example): FARADAYPRO

template : choose a template from the dropdown menu (templates should be inside Faraday's Server at /home/faraday/.faraday/integrations_templates/)

Click here to download an example template.

Now, we need to activate OAuth Authentication:

Inside your JIRA Cloud click on the gear icon at the top-right corner (left side of your profile icon) and click on Products, then, on the left-side bar, click on Application links

On the input bar at JIRA, enter your Faraday's URL (example: http://localhost:5985)

If this message appears and the URL is correct, just click Continue

Fill the application fields, in this case, Faraday as the Application Name, you must select the option Generic Application as the Application Type and Mark the option Create incoming link. Then, click Continue.

Now, you will need to create a:

  • Consumer Key: you should copy and save this for after configuration at Faraday.

  • Consumer Name: In this case, we use Faraday.

  • Public Key: To create this Public Key, you will need to execute the following command on your Faraday Server: faraday-manage generate-rsa-keys --integration jira you will receive something like this:

    -----BEGIN PUBLIC KEY-----
    9YxXl4D/aL/iE94MsUc9t3FFoNCP97Sfel7o+1q5YOF79qlKGbP3mXgbel/LUaSj
    Vd91dnpg1OS1PH0p6YMDsCQfXSVBpC2OUY2hDkEwPUT/OKeAq+XE5sqEqoUeDdrS
    OOWVuEYlWZl6ghS2TABFN5VXPgWg30Ne4L0nlDqJh2BD7RACa+Wpzbr2b/HmIxSf
    WOj6mu7eK7Vx38CyrnOci8u59Mv/IXsEppU6nGgMZ7/Hw1ojaeSn0W6wF0Wsk3EG
    RY/wYngdCYQEQx0rDnannBnP6EuYaqwBtNjcPpp9zvsZt+d1qmOWbii4rbqfY4BR
    n42R05zamkSNqbwdoQ1JDyv90D6lrG+JLq/BjHaIJlAhnDIWfX6DtqgUOD3VUQfC
    GQvvguRA
    -----END PUBLIC KEY-----
    
    Just copy and paste it inside your Publick Key field at JIRA.

Then, click Continue to generate the application.

If everything is Ok, you should see this screen:


Faraday authenticates to Jira using OAuth 1.0 A

3. Faraday's Configuration

Login into Faraday's Web UI and go to Setting clicking on your username at the top-rigth corner:

Inside Settings, navigate to Ticketing Tools and Select JIRA from the dropdown menu:

Paste your JIRA instance information and paste it on the correct fields.

If everything is Ok, click on the green Save button and you should see a pop-up like this:

Inside the ticketing tool at Faraday, paste your instance URL and Project Key, then, add your Consumer Key into the OAuth Authentication field, after this, click the round button to authenticate!

You should see this, click on Redirect to JIRA, once on JIRA website, click on Allow and wait until receive an Access Approved message, once received, close the tab.

Once in Faraday, click on Authorized.


4. Send vulnerability to JIRA

Navigate to the Manage > Vulns view inside Faraday's Web UI

To send vulnerabilities to JIRA, select the desired vulnerabilities, click on the Tools button at the top-right corner and then click on JIRA.

Click on the dropdown menu Add columns and add the issuetracker column.

Now, select the vulnerability you want to export and click on Tools > JIRA

Keep in mind that only confirmed vulnerabilities can be sent.

Once the JIRA dialog opens, you have two options:

You can use the default data saved in the Ticketing Tools section of Settings (see Save JIRA's Configuration for more information):

You can overwrite JIRA default data by clicking on the checkbox button and then manually input your JIRA credentials. Then click OK:

If you overwrite only one field, Faraday will fill the others fields with the default data. E.g: if you overwrite Project Key, Faraday will fill URL field with the information you have saved in Settings.

Click Ok.

You should see the word JIRA appearing on the issuetracker column at your vuln, you can click on it to see the issue that has been created on JIRA!

Template The template is preloaded in description but you can use the fields described in our jinja2 context doc Link The template's name where you'll define the issue's description. You can call any attribute of the vulnerability object using Jinja2 syntax. E.g., if you want your issue in JIRA to have as description the target, the hostnames, and the severity of the vulnerability, the template would be as follows:

{# This is a Template for Faraday Jira Integration #}
{# Pre-Flight Adjustments #}
{% set issuetracker_config = 'gitlab' %}
{% set http_size_config = 4096 %}
{% if 'med' in vuln.severity %}
{% set corrected_severity = 'Medium' %}
{% else %}
{% set corrected_severity = vuln.severity %}
{% endif %}
{# Issue template structure should go under this comment #}
{% if 'VulnerabilityWeb' in vuln.type %}
# [{{ corrected_severity | capitalize}}] {{vuln.name}} - ({{vuln.path}})
{% else %}
# [{{ corrected_severity | capitalize}}] {{vuln.name}}
{% endif %}
## Description
{{ vuln.desc }}
#### This issue has been rated as: `{{ corrected_severity | capitalize }}`
Affected Asset: {{vuln.target}}
{%  if vuln.website %}
Affected URL: {{ vuln.website }}{{ vuln.path }}
{% endif %}
{% if vuln.hostnames %}
#### Hostnames
{% for hostname in vuln.hostnames %}
- {{hostname}}
{% endfor %}
{% endif %}
## Recommendations
{{ vuln.resolution }}
{%for ref in vuln.refs%}
- {{ref}}
{%endfor%}
{%if vuln.easeofresolution%}
#### Estimated ease of resolution
{{ vuln.easeofresolution | capitalize }}
{%endif%}
### Technical Details
{%if vuln.data%}
#### Proof of Concept
{{vuln.data}}
{%endif%}
{%if vuln.request%}
#### Request

{{vuln.request|truncate(http_size_config, False, '...', 0) }}

{%endif%}
{% if vuln.response %}
#### Response

{{ vuln.response|truncate(http_size_config, False, '...', 0) }}

{%endif%}
## Issue [{{ vuln.id }}] {{vuln.name}} [{{vuln.status}}]
{# A vulnerability might be associated with more tha one issuetracker id #}
{% for key, value in vuln.issuetracker_json.items() %}
{% if issuetracker_config in key%}
This issue has already been reported in this platform:
- {{ key | capitalize}}
{% for line in value %}
- Issue: {{line.url}}
{% endfor %}
{% endif %}
source: created by {{vuln.owner or "faraday"}} using {{vuln.tool}} - {{vuln.external_id}} - {{vuln.date}}
{% endfor %}
{# end of file #}

This template must be located inside the folder

/home/faraday/.faraday/integrations_templates/

You can also link an issue to an Epic. To do so, look after the custom field Epic Link of your instance and add it to your issue’s configuration (just as the example above). Once you add it, you need to type in the input field the issue keys of the epic.