reload / github-security-jira Goto Github PK

View Code? Open in Web Editor NEW

53.0 12.0 33.0 816 KB

Github Action for integrating Security Alerts with JIRA

License: MIT License

Dockerfile 2.88% PHP 95.85% Makefile 1.26%

actions jira security security-alerts

github-security-jira's Introduction

github-security-jira

GitHub Action for mapping Dependabot security alerts to Jira tickets.

Setup

You need the following pieces set up to sync alerts with Jira:

Two repo secrets containing a GitHub access token and a Jira API token, respectively.
A workflow file which runs the action on a schedule, continually creating new tickets when necessary.

Repo secrets

The reload/github-security-jira action requires you to create two encrypted secrets in the repo:

A secret called GitHubSecurityToken which should contain a Personal Access Token for the GitHub user under which this action should be executed. The token must include the public_repo scope if checking only public repos, or the repo scope for use on private repos. Also, the user must have access to security alerts in the repo.
A secret called JiraApiToken containing an API Token for the Jira user that should be used to create tickets.

Workflow file setup

The GitHub workflow file should reside in any repo where you want to sync security alerts with Jira.

It has some required and some optional settings, which are passed to the action as environment variables:

GH_SECURITY_TOKEN: A reference to the repo secret GitHubSecurityToken (REQUIRED)
JIRA_TOKEN: A reference to the repo secret JiraApiToken (REQUIRED)
JIRA_HOST: The endpoint for your Jira instance, e.g. https://foo.atlassian.net (REQUIRED)
JIRA_USER: The ID of the Jira user which is associated with the 'JiraApiToken' secret, eg '[email protected]' (REQUIRED)
JIRA_PROJECT: The project key for the Jira project where issues should be created, eg TEST or ABC. (REQUIRED)
JIRA_ISSUE_TYPE: Type of issue to create, e.g. Security. Defaults to Bug. (Optional)
JIRA_WATCHERS: Jira users to add as watchers to tickets. Separate multiple watchers with comma (no spaces).
JIRA_ISSUE_LABELS: Jira labels to add to tickets. Separate multiple labels with comma (no spaces).
JIRA_RESTRICTED_COMMENT_ROLE: A comment with restricted visibility to this role is posted with info about who was added as watchers to the issue. Defaults to Developers. (Optional)

Here is an example setup which runs this action every 6 hours.

name: GitHub Security Alerts for Jira

on:
  schedule:
    - cron: '0 */6 * * *'

jobs:
  syncSecurityAlerts:
    runs-on: ubuntu-latest
    steps:
      - name: "Sync security alerts to Jira issues"
        uses: reload/[email protected]
        env:
          GH_SECURITY_TOKEN: ${{ secrets.GitHubSecurityToken }}
          JIRA_TOKEN: ${{ secrets.JiraApiToken }}
          JIRA_HOST: https://foo.atlassian.net
          JIRA_USER: [email protected]
          JIRA_PROJECT: ABC
          JIRA_ISSUE_TYPE: Security
          JIRA_WATCHERS: [email protected],[email protected]

Local development

Copy docker-composer.override.example.yml to docker-composer.override.yml and edit according to your settings.

After that, you can execute the Symfony console app like so:

docker-compose run --rm ghsec-jira --verbose --dry-run

Remove the --dry-run option to actually create issues in Jira.

github-security-jira's People

Contributors

Stargazers

Watchers

github-security-jira's Issues

Resource not accessible by integration

Trying to use this GH Action and it fails with this error:

Run reload/[email protected]
/usr/bin/docker run --name c8ce5aa104cfed7a462b98612dedac8bd2f9_8755a1 --label 48c8ce --workdir /github/workspace --rm -e GH_SECURITY_TOKEN -e JIRA_TOKEN -e JIRA_HOST -e JIRA_USER -e JIRA_PROJECT -e JIRA_ISSUE_TYPE -e JIRA_WATCHERS -e JIRA_RESTRICTED_COMMENT_ROLE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/test-gh-actions-alert/test-gh-actions-alert":"/github/workspace" 48c8ce:5aa104cfed7a462b98612dedac8bd2f9

In SyncCommand.php line 199:
                                                                               
  GraphQL client error: Resource not accessible by integration. Original quer  
  y:             query alerts($owner: String!, $repo: String!) {               
                repository(owner: $owner, name: $repo) {                       
                  vulnerabilityAlerts(first: 100) {                            
                    nodes {                                                    
                      securityVulnerability {                                  
                        advisory {                                             
                          ghsaId                                               
                          description                                          
                          identifiers {                                        
                            type                                               
                            value                                              
                          }                                                    
                          references {                                         
                            url                                                
                          }                                                    
                          severity                                             
                          summary                                              
                        }                                                      
                        firstPatchedVersion {                                  
                          identifier                                           
                        }                                                      
                        package {                                              
                          name                                                 
                          ecosystem                                            
                        }                                                      
                        severity                                               
                        updatedAt                                              
                        vulnerableVersionRange                                 
                      }                                                        
                      repository {                                             
                        nameWithOwner                                          
                      }                                                        
                      vulnerableManifestFilename                               
                      vulnerableManifestPath                                   
                      vulnerableRequirements                                   
                    }                                                          
                  }                                                            
                }                                                              
              }                                                                
                                                                               

sync [--dry-run]

What kind of resource can't it find ? I'm pretty sure I've setup it correctly, because I'm able to run it locally via act tool.

Use REST API instead of GraphQL

The tool uses GitHub's GraphQL API for getting the alerts.

As I remember it, the alerts weren't available via the REST API when we built it.

But it is now: https://docs.github.com/en/rest/dependabot/alerts#list-dependabot-alerts-for-a-repository

Maybe we can provide better error messages when using the REST API (see #138).

Feature Request:Could it be possible that once the alerts on dependabot is closed, Jira ticket also closes automatically .

Hello Team,

I am reaching out to you regarding a new issue that we have encountered. Actually , we wanted a way where-in when the dependabot alerts get closed from the security tab in GHAS automatically the Jira tickets which is created using dependabot-workflow should also be closed.

Can you please help us with it.

Thanks,
Shweta.

Action returns success, but nothing appears in JIRA

First let me say thank you for building this. It's perfect for what I'm trying to achieve.

I have set up a GitHub Action based on the README. It seems like the action always returns success, even if I use an invalid token.

I've been unable to get any issue to show up within JIRA. It could be that I have an invalid config, but, unfortunately with everything returning success, I can't debug it.

Please let me know if there's any debug information I can provide!

Uncaught type error - $safeVersion must be string

While debugging #128 I created a temporary jira group 'Developers' and assigned my jira api role to that group. Rerunning the github-security-jira [email protected] now results in a fatal error. (the action is still ignoring the actual group name I'm specifying)

Run reload/[email protected]
  env:
    GH_SECURITY_TOKEN: ***
    JIRA_TOKEN: ***
    JIRA_HOST: https://JIRA_URL
    JIRA_USER: JIRA_USER
    JIRA_PROJECT: ABC
    JIRA_ISSUE_TYPE: Bug
    JIRA_RESTRICTED_COMMENT_ROLE: JIRA_GROUP

Fatal error: Uncaught TypeError: Typed property GitHubSecurityJira\SecurityAlertIssue::$safeVersion must be string, null used in /opt/ghsec-jira/src/SecurityAlertIssue.php:41
Stack trace:
#0 /opt/ghsec-jira/src/SyncCommand.php(94): GitHubSecurityJira\SecurityAlertIssue->__construct(Array)
#1 /opt/ghsec-jira/vendor/symfony/console/Command/Command.php(255): GitHubSecurityJira\SyncCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 /opt/ghsec-jira/vendor/symfony/console/Application.php(1011): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /opt/ghsec-jira/vendor/symfony/console/Application.php(272): Symfony\Component\Console\Application->doRunCommand(Object(GitHubSecurityJira\SyncCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /opt/ghsec-jira/vendor/symfony/console/Applicat in /opt/ghsec-jira/src/SecurityAlertIssue.php on line 41

Feature Request: Add support for custom fields

customfields themselves are just an additional key/value pair passed to the fields object: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/#creating-an-issue-using-custom-fields

Ideally the custom field would be an arbitrary map the user passes into the github action. (inspiration for this from here)

Currently a failure will look like:

jira.exceptions.JIRAError: JiraError HTTP 400 url: ...
response text = {“errorMessages”:[],“errors”:{“customfield_#####”:“<field> is required.“}}”

JIRA ticket creation fails if your maven module folder has spaces in it

If your maven project is a multi module one, and you have module folders with spaces in them, the JIRA ticket creation process will fail. This is because JIRA doesn't allow to create labels that contains spaces. See: https://confluence.atlassian.com/automationkb/automation-for-jira-fails-to-copy-components-list-to-label-with-error-message-the-label-contains-spaces-which-is-invalid-1072473388.html#:~:text=The%20error%20message%20happens%20because,include%20spaces%20in%20their%20names

In our case our pom.xml looked like this:
< modules>
< module>nice-module</ module>
< module>Wrong module</ module>

When the GitHub action runs it fails and reports this error:
CURL HTTP Request Failed: Status Code : 400, URL:https://my.atlassian.net/rest/api/2/search
Error Message : {“errorMessages”:[“The label ‘glob-parent:Wrong Module:5.1.2’ can’t contain spaces.“],“warningMessages”:[]}

That is because this action code create labels that are like a "path" pointing to where the dependency with issues is, and part of that "path" is the module name. You can see that in this line:

github-security-jira/src/SecurityAlertIssue.php

Line 127 in d7f5957

return "{$this->package}:{$this->manifestPath}:{$identifier}";

The code could remove the spaces to avoid JIRA rejecting the label.

Fatal error: Uncaught TypeError: Typed property

Fatal error: Uncaught TypeError: Typed property GitHubSecurityJira\SecurityAlertIssue::$safeVersion must be string, null used in /opt/ghsec-jira/src/SecurityAlertIssue.php:41
Stack trace:
#0 /opt/ghsec-jira/src/SyncCommand.php(94): GitHubSecurityJira\SecurityAlertIssue->__construct(Array)
#1 /opt/ghsec-jira/vendor/symfony/console/Command/Command.php(256): GitHubSecurityJira\SyncCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 /opt/ghsec-jira/vendor/symfony/console/Application.php(971): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /opt/ghsec-jira/vendor/symfony/console/Application.php(290): Symfony\Component\Console\Application->doRunCommand(Object(GitHubSecurityJira\SyncCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /opt/ghsec-jira/vendor/symfony/console/Applicati in /opt/ghsec-jira/src/SecurityAlertIssue.php on line 41

Team, can you guide me here?

Adding jira component

Hi team,

I tried adding JIRA_Component in the env section of the workflow code. But during integration, my issues are not getting linked with the newly created component in the JIRA software project. Please advise.

Regards,
Manthan Shah

401 Unauthorized failure

I'm receiving a 401 unauthorized failure and having trouble identifying root cause. My secret is an Organization secret and an Actions environment secret named GitHubSecurityToken and I tested it via curl to the graphql api, I was able to return dependabot results. Any advice would be appreciated. Thanks!

Costing for the action

Hi team,
Can you please share the pricing if I use this workflow from the GitHub marketplace?
Regards,
Manthan Shah

Populate ticket header with priority

Hi team,
Wondering about populating priority/severity of alerts in the header/title section that have been raised by Dependabot while creating tickets in JIRA software?
Regards,
Manthan Shah

Add link to dependabot alert in GitHub

It would be very helpful to have a link to the dependabot alert in GitHub added to the Jira issue description.

about false positives

Hi team,
We have integrated a similar kind of flow, where we are seeing the false dependabot alerts regarding the version of library/binary.
eg. we have airflow version 2.x.1 and dependabot is creating an alert for 2.x.0
Can you please advise?

FEATURE REQUEST: JIRA Priority Based on Severity, Epic, & Component(s)

Would it be possible to set the JIRA priority based on the alerts severity? That would be really cool. Also it would be fabulous if one could pass an epic ticket token, and component. And even cooler if we could pass a custom title, to allow for the tickets to stand out with a consistent title. :)

i.e.
JIRA_TITLE: Github Security Advisory for {0}
JIRA_EPIC: ABC-123
JIRA_COMPONENT(S): Security

Auto-map:
Trivial -> low severity
Minor -> moderate severity
Major -> high severity

Use Public ECR Gallery, instead of dockerhub to avoid rate limit

We recently started to use self hosted runners and are running into issues with Docker's rate limit. After reviewing the repo, would it be possible to use another docker repository that is a little more forgiving?

The Dockerfile references the following images:
composer:2.5.7 and php:8.1.9-alpine

We can get similar images from AWS ECR's Public Gallery, which has a rate limit for unauthenticated pulls at 1 per second, instead of Dockerhub's 100 per 6 hours.

public.ecr.aws/docker/library/composer:2.5.7
public.ecr.aws/docker/library/php:8.1.9-alpine

Let me know what you think, if approved, i can make a PR.

wrong alerts getting sent to Jira

I implemented this tool on a repo of mine. The number of issues created in Jira matches the total number of open security alerts that repo has (Dependabot, secrets scanning and code scanning combined), but all of the issues opened in Jira are Dependabot issues, including a bunch of closed Dependabot issues. This happens using tag v1.2.0

JIRA ticket creation fails if your module folder has spaces in it, on creation a label

Error Message : {"errorMessages":["The label 'Newtonsoft.Json:Clients/GE US
/CustomerRelation:13.0.1' can't contain spaces."],"warningMessages":[]}

JSON property "parent" must not be NULL

Github action is breaking since yesterday with the following message...

In JsonMapper.php line 229:
                                                                               
  JSON property "parent" in class "JiraRestApi\Issue\IssueField" must not be   
  NULL

I assume Jira have changed their API to make parent a required field. Any ideas?

Priority field not set

I'm getting a priority field not set error:

In JiraSecurityIssue.php line 217:

[RuntimeException]
Could not create issue: CURL HTTP Request Failed: Status Code : 400, URL:https://companyname.atlassian.net/rest/api/2/issue
Error Message : {"errorMessages":[],"errors":{"priority":" Specify the Priority (name) in the string format"}}

Exception trace:
at /opt/ghsec-jira/vendor/reload/jira-security-issue/src/JiraSecurityIssue.php:217
Reload\JiraSecurityIssue->ensure() at /opt/ghsec-jira/src/SyncCommand.php:100
GitHubSecurityJira\SyncCommand->execute() at /opt/ghsec-jira/vendor/symfony/console/Command/Command.php:298
Symfony\Component\Console\Command\Command->run() at /opt/ghsec-jira/vendor/symfony/console/Application.php:1040
Symfony\Component\Console\Application->doRunCommand() at /opt/ghsec-jira/vendor/symfony/console/Application.php:301
Symfony\Component\Console\Application->doRun() at /opt/ghsec-jira/vendor/symfony/console/Application.php:171
Symfony\Component\Console\Application->run() at /opt/ghsec-jira/bin/ghsec-jira:18

Here are my configuration:
- name: "Sync security alerts to Jira issues"
uses: reload/[email protected]
env:
SECURITY_TOKEN: ***
JIRA_TOKEN: ***
JIRA_HOST: ***
JIRA_USER: ***
JIRA_ISSUE_TYPE: Story
JIRA_PROJECT: ***
JIRA_ISSUE_LABELS: DEP_ISSUE

I'm wondering if others are experiencing the same issue or the last bot update caused it by any chance?

Thanks!

No output when running action

I don't see any output when running the action.

sync-dependabot-alerts:
        runs-on: ubuntu-latest
        steps:
            - name: "Sync Dependabot security alerts to Jira issues"
              uses: reload/[email protected]
              env:
                GH_SECURITY_TOKEN: ${{ secrets.GitHubSecurityToken }}
                JIRA_TOKEN: ${{ secrets.JiraApiToken }}
                JIRA_HOST: https://xyz.atlassian.net/
                JIRA_USER: [email protected]
                JIRA_PROJECT: ABC
                JIRA_ISSUE_TYPE: Bug
                JIRA_WATCHERS: [email protected]
                JIRA_ISSUE_LABELS: Dependabot

Output:

2023-12-18T16:54:13.4088137Z ##[group]Run reload/[email protected]
2023-12-18T16:54:13.4088657Z env:
2023-12-18T16:54:13.4089366Z   ...
2023-12-18T16:54:13.4093714Z ##[endgroup]
2023-12-18T16:54:13.4391367Z ##[command]/usr/bin/docker run ...
2023-12-18T16:54:16.2292260Z Cleaning up orphan processes

I expect to see some output like:

No alerts found.

Debug output Issue

Set up jobs
Build Sample-account-github-jira/Todo-Application@master27s
Run GraphQL query against GH 4.x API
Debug output

/home/runner/work/_temp/314346d0-a25a-49d5-870d-07e31135af9a.sh: line 137: syntax error near unexpected token `('
##[error]Process completed with exit code 2.

Could you please share some light on this fix?

Disable restricted comments in Jira

I'm getting the following error from reload/[email protected] (latest release)
I am correctly setting the env var as described in the README but I'm observing the error even if I ommit the env var or if I specify any value for a valid group that the jira api token and user belongs to. The action is creating a ticket when it runs, it just fails on trying to add the restricted comment. I don't actually need or care about this comment, but I get the same output even if I remove the variable.

Run reload/[email protected]
  env:
    GH_SECURITY_TOKEN: ***
    JIRA_TOKEN: ***
    JIRA_HOST: https://JIRA_URL/
    JIRA_USER: JIRA_USERNAME
    JIRA_PROJECT: ABC
    JIRA_ISSUE_TYPE: Bug
    JIRA_RESTRICTED_COMMENT_ROLE: JIRA_ROLE

In JiraClient.php line 264:
                                                                               
  CURL HTTP Request Failed: Status Code : 400, URL:https://telemedicine.atlas  
  sian.net//rest/api/2/issue/VCB-3440/comment                                  
  Error Message : {"errorMessages":[],"errors":{"commentLevel":"You are curre  
  ntly not a member of the project role: Developers."}}