Vulnerabilities / Jira integration doesn't work with Jira "Next Gen" projects
Summary
The new Vulnerability Management feature that allows creating a Jira issue directly from a vulnerability record works perfectly with Jira Classic ("Company-managed software") projects. However, it looks like it does not work at all with Jira Next Gen ("Team-managed software") projects.
See this video for a demo of the error behavior.
One relevant detail is the issue type list seems incorrect when configuring a Next Gen project on the GitLab side. The issue list is supposed to be dynamic. It returns the expected list for Classic projects. However, for Next Gen projects, the issues never match what is configured on the Jira side.
This seems directly related to what causes the error. The Jira issue IDs used for the available issue types on Next Gen projects all appear to be incorrect. The issue IDs seem to match those that are available when using Classic projects. This seems to be the cause of the error. If you manually update the URL of the new Jira issue after you get the error with a correct issue ID for a Next Gen project, it works as expected.
Steps to reproduce
- Configure and enable a Jira integration (
Settings
→Integrations
) for your GitLab project.- Enter a
Jira project key
corresponding to a Next Gen Jira project. - Save changes or Test settings to make sure configuration is correct.
- Enter a
- Check the
Enable Jira issues creation from vulnerabilities
option. - Hit the "refresh" button next to the
Jira issue types
dropdown- This should dynamically pull all configured issue types on the Jira project specified above.
- Note that for Next Gen projects, the list likely will NOT accurately reflect the project's configured issue types if viewed in Jira's project settings
- Select any Jira issue type and Save changes.
- Go to
Security & Compliance
→Vulnerability Report
for the same project. - Click the vulnerability name/description on any vulnerability list entry to view the vulnerability record (details page).
- Click the
Create Jira issue
button to open a new window. Note the Jira error about invalid Issue type.
Example Project
https://gitlab.com/matt_wilson/simply-simple-notes/ (ask @matt_wilson for access)
Test Jira instance: https://gitlab-stage-protect.atlassian.net/
It is possible the wrong API call is being used to fetch the Jira Issue types. The following API call will return an array of configured Issue types for both Class and Next Gen projects:
Verify this by seeing the results from two test projects:
- Next Gen: https://gitlab-stage-protect.atlassian.net/rest/api/3/project/10002/
- Classic: https://gitlab-stage-protect.atlassian.net/rest/api/3/project/10003/
What is the current bug behavior?
Trying to create a Jira issue from a GitLab vulnerability when the configured Jira project is a Next Gen type always results in an error message that the issue type is invalid (see video).
What is the expected correct behavior?
Creating Jira issues from vulnerabilities should work the same for both Classic and Next Gen projects.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
backend Update
project_issuetype_scheme_ids
inee/app/models/project_services/ee/jira_service.rb
to not do anything when Jira project style isnext-gen
-
backend Update
project_issuetype_ids
inee/app/models/project_services/ee/jira_service.rb
to handle Next Gen JIRA projects by making a call tohttps://<jira-handle>.atlassian.net/rest/api/3/project/<project id>
and usingissueTypes