What is it?
Our Jira integrations provide highly relevant and bite-sized learning on secure coding techniques directly within the issues you are working on. The learning content is offered in a variety of programming languages and frameworks.
Jira is an issue and bug tracking tool by Atlassian. It is very popular among developers and is used widely to manage agile delivery of software projects. See: https://www.atlassian.com/software/jira
It is offered as:
- Jira Cloud - The cloud SaaS version of the issue tracker
- Jira Server - The on-premise version of Jira for enterprises (no new license sales, approaching end of support - please refer to this page from Atlassian for detailed information)
- Jira Data Center - A highly scalable on-premise version of Jira for enterprises
Why did we build this?
To help developers resolve vulnerabilities faster and learn secure coding continuously.
By bringing the relevant content to you when and where you need it, our integrations become part of the solution helping you stay in the flow rather than just scanning the code and showing problems without any help to solve them.
Ultimately, by learning continuously, you build skills to write secure code from the start - reducing vulnerabilities in the codebase.
How does it work?
When users or scanning tools create issues containing vulnerability information, our integration scans the text content and uses our Direct Linking API to fetch the most relevant content containing vulnerability descriptions, explainer videos, and links to relevant code exercises. This content is shown under the Detail pane of the Jira Issue.
The vulnerability information in the issue may be present in the title, description, label, or a configured custom field in Jira. The integration can detect Common Weakness Enumeration (CWE) or Open Web Application Security Project (OWASP) references as well as common vulnerability names and phrases.
Note: Currently, Jira integration only works for English text. If the ticket has CWE or OWASP references that will still work but for the text matching (e.g. "SQL injection") it is only available for English.
Installation and configuration
The Jira plugin can be downloaded from the Atlassian Marketplace.
Installation steps specific to the product that you use can be found under the Installation tab on the marketplace.
What data is sent and stored by the integration?
What data is collected by SCW?
Usage statistics to capture interactions with our Jira integrations. For example, when a user clicks the “Train Now” button or opens the SCW integration on a ticket. Usage statistics organisational identifiers such as the Jira cloud instance hostname or organisation name as obtained from Jira license.
Vulnerability categories based on vulnerability references matched in Jira tickets. For example, when a Jira user opens a ticket referencing a SQL injection attack then we track the vulnerability category (i.e. Injection Flaws) and subcategory (i.e. SQL Injection) that was matched.
We do not collect:
Source code references such as affected line numbers, code files or code packages / repositories.
User identity references such as email address or usernames.
- Overview: https://www.securecodewarrior.com/products/scw-for-jira
- Atlassian Marketplace: https://marketplace.atlassian.com/apps/1221320/secure-code-warrior-for-jira
- Jira Cloud Configuration Guide: https://help.securecodewarrior.com/hc/en-us/articles/900000782363
- Jira Server/Data Center Configuration Guide: https://help.securecodewarrior.com/hc/en-us/articles/900000796646