Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISOC 3689 add git hub code scanning webhook #2314

Merged
merged 8 commits into from
Aug 16, 2023
Merged

ISOC 3689 add git hub code scanning webhook #2314

merged 8 commits into from
Aug 16, 2023

Conversation

auzwang
Copy link
Contributor

@auzwang auzwang commented Aug 4, 2023
edited by jira-staging bot
Loading

What's in this PR?
Adds Security in Jira code_scanning_alert webhook support. GitHub Security Code Scanning Alert webhooks will be transformed and submitted as Security Vulnerabilities in Jira.

Vulnerabilities are only submitted from the default or protected branch. This is done by checking

alert.most_recent_instance?.ref?.startsWith("refs/heads")

When a Code Scan Alert is found in a PR, then merged into the default or protected branch, a webhook with the action appeared_in_branch is triggered with the same alert number, which is subsequently submitted to Jira.

Remote Links will continue be handled in the same way.

Fixes an error where Code Scanning Alert Remote Link Webhook metrics were not being processed.

- context.payload.webhookReceived
+ context.webhookReceived

Why
Integrate GitHub with Security in Jira
https://hello.atlassian.net/wiki/spaces/CDX/pages/2673460294/RFC+GitHub+for+Jira+Security

Added feature flags
ENABLE_GITHUB_SECURITY_IN_JIRA

Affected issues
ISOC-3689

How has this been tested?
Locally
Unit Tests

Questions
We are emitting a new webhook metric for Code Scanning Alert Security Vulnerabilities (code_scanning_alert_security) in addition to the Remote Links handler. Does this make sense?

@auzwang auzwang requested a review from a team as a code owner August 4, 2023 06:14
@auzwang auzwang force-pushed the ISOC-3689-add-git-hub-code-scanning-webhook branch from 03b14eb to 03c57fa Compare August 4, 2023 06:16
@gxueatlassian
Copy link
Contributor

gxueatlassian commented Aug 9, 2023
edited
Loading

One small thing to double check, for

Vulnerabilities are only submitted from the default or protected branch. This is done by checking
alert.most_recent_instance?.ref?.startsWith("refs/heads")

I think refs/heads can also means any branches? We are accepting alerts from any branches, is that correct? But I could be wrong.

gxueatlassian
gxueatlassian previously approved these changes Aug 9, 2023
View reviewed changes
CONTRIBUTING.md Show resolved Hide resolved
@auzwang
Copy link
Contributor Author

auzwang commented Aug 9, 2023

One small thing to double check, for

Vulnerabilities are only submitted from the default or protected branch. This is done by checking
alert.most_recent_instance?.ref?.startsWith("refs/heads")

I think refs/heads can also means any branches? We are accepting alerts from any branches, is that correct? But I could be wrong.

Code scanning can be configured to trigger on push and pull requests to projected branches. So pushes to unprotected branches such as feature/abc-123 won't trigger code scan alerts until a PR is made targeting the default branch or a protected branch.

@auzwang auzwang force-pushed the ISOC-3689-add-git-hub-code-scanning-webhook branch 6 times, most recently from 3bb165b to 9bcde08 Compare August 15, 2023 00:16
mjordan-atlassian
mjordan-atlassian reviewed Aug 15, 2023
View reviewed changes
src/transforms/transform-code-scanning-alert.ts
const cweId = tag.split(cwePrefix)[1].replace(/^0+/, "");
return {
displayName: `CWE-${cweId}`,
url: `https://cwe.mitre.org/cgi-bin/jumpmenu.cgi?id=${cweId}`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the difference between using this URL and https://cwe.mitre.org/data/definitions/${cweId} ?
The one you are using redirects to the data/definitions page anyway?

Copy link
Contributor Author

@auzwang auzwang Aug 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used the URL https://cwe.mitre.org/ uses in their ID Lookup input. The difference is the error page when supplying an invalid ID. I suspect there is future-proof credence using the cgi URL as it would be out in the wild and referenced in PDFs, hence the redirect.

Navigating using the definitions URL we get:
Screenshot 2023-08-15 at 1 27 31 pm

Whereas with the id param, we get:
Screenshot 2023-08-15 at 1 27 37 pm

@auzwang auzwang force-pushed the ISOC-3689-add-git-hub-code-scanning-webhook branch from 9bcde08 to 2a62962 Compare August 16, 2023 00:26
@Harminder84 Harminder84 merged commit 0531ce3 into main Aug 16, 2023
3 of 4 checks passed
@Harminder84 Harminder84 deleted the ISOC-3689-add-git-hub-code-scanning-webhook branch August 16, 2023 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjordan-atlassian mjordan-atlassian mjordan-atlassian left review comments

@gxueatlassian gxueatlassian gxueatlassian approved these changes

@Blastoplex Blastoplex Awaiting requested review from Blastoplex

@Harminder84 Harminder84 Awaiting requested review from Harminder84

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@auzwang @gxueatlassian @mjordan-atlassian @Harminder84