Skip to content

Add customize jira issue option for vulnerabilities with integration setting

Lorenz van Herwaarden requested to merge form-issue-jira-setting into master

What does this MR do and why?

Related #478824 (closed), #478829 (closed), #482042 (closed), &14866 (closed), #454279 (closed)

Add customize jira issue option for vulnerabilities with integration setting.

This adds a new setting called customize_jira_issue_enabled to the jira integration settings. It is disabled by default. Once enabled, it allows creating Jira issues for vulnerabilities via the old way, which we recently removed. The old way redirects the user to the Jira issue creation form with vulnerability data pre-filled where they can review, modify, or add information. The current jira issue creation method uses a GraphQL mutation which creates the issue in the background and does not redirect you away from GitLab.

Some customers relied on the old Jira issue creation method heavily. They can still fill in extra info in the Jira issue form before creating the actual issue. In some cases the new method even breaks their workflow because they can't create a Jira issue with the GraphQL mutation because their setup expects a required custom field which is not provided. With this setting, customers can use the previous way of Jira issue creation for vulnerabilities by enabling the setting on the Jira Integration (both project and group level).

The work is not split up in multiple MRs so we can introduce this without the need of a feature flag.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

customize-jira-issue-enabled

Create Jira issue directly (GraphQl)

Before After
Screenshot_2024-09-03_at_14.00.43 Screenshot_2024-09-03_at_09.53.44

Customize Jira issue (via form)

Screenshot_2024-09-03_at_09.54.01

Customize Jira issue Jira integration setting

Screenshot_2024-09-03_at_13.58.31

How to set up and validate locally

Prerequisites

  1. You need an EE license
  2. You need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run a pipeline on master

Enable the Jira integration for a project:

  1. Create a Jira test project at https://jira.atlassian.com/ and get an API key at Account settings > Security
  2. Navigate to the security-reports project you just imported
  3. Go to Settings > Integrations > Jira
  4. Enable the integration and fill out the form
  5. Enable "Jira Issues" and "Issue creation from vulnerabilities" and Save

Validate

  1. Go to the vulnerability report on the security-reports projects, click any vulnerability, click on "Create Jira issue". Validate that this creates an issue in the background (no redirection) and once the loading spinner is done, an entry gets added in the "Related Jira issues" card with a Jira issue for that vulnerability
  2. Go to Settings > Integrations > Jira
  3. Enable "Customize Jira issues" and Save
  4. Go to another vulnerability on the vulnerability report, notice the "Create Jira issue" now has an external link icon. Click it, and validate it redirects to your Jira instance to an issue form. Fill in the reporter (mandatory) and create the issue. Go back to your GitLab vulnerability details page and refresh. The Jira issue should also be in the "Related Jira Issues" card.
Edited by Lorenz van Herwaarden

Merge request reports