ASoC and Jira Cloud

HCL AppScan integration for Jira Cloud facilitates automatic or ad-hoc creation of Jira tickets for security issues identified by AppScan on Cloud.

This integration is applicable to only Jira Cloud software and cannot be installed for on-prem Jira Server.

Prerequisites

  • HCL AppScan on Cloud service account and an API key and secret for AppScan on Cloud authentication.
  • Jira Cloud user account with necessary permissions to install and manage the integration, and to create and modify all Jira issues for all projects to which you are importing AppScan security issues.

Installation

To install the HCL AppScan Integration for Jira Cloud:
  1. Log in to your Jira Cloud instance with sufficient privileges to install the integration from the marketplace.
  2. Select Apps > Explore more apps.
  3. Click Find new apps to access the Atlassian Marketplace.
  4. Search for “HCL AppScan Integration for Jira Cloud”.
  5. On the page for the integration, click Get app.
  6. Review permissions and proceed with the installation.

    Jira Cloud automatically downloads and installs the integration. When the installation is complete, Jira Cloud displays a confirmation message.

    The integration is available for use within your Jira Cloud instance.

Using the Integration

The HCL AppScan Integration page has five tabs:
  • Credentials

    Enter and verify HCL AppScan on Cloud credentials.

  • Configuration

    Customize import job parameters per application tailored to your organization’s security polices and priorities.

  • One-time import

    Initiate ad-hoc one time imports to Jira Cloud.

  • Automatic import

    Schedule recurring imports based on predefined frequencies.

  • History

    View the history of recent import jobs.

Setup Credentials
To verify your AppScan on Cloud login credentials and save it in a secure, encrypted manner on your Atlassian instance:
  1. On the HCL AppScan Integration in Jira Cloud click the Credentials tab.
  2. Verify the service URL.

    By default, the service URL is populated with https://cloud.appscan.com. To connect to EU server, change it to https://eu.cloud.appscan.com.

  3. Enter your key ID and key secret then click Save and verify Credentials.

Configuration

Customize import job settings to tailor how AppScan on Cloud applications are imported. Select configuration options that meet your organization’s security polices and priorities, ensuring accurate and actionable Jira ticket creation.

An application is a collection of scans related to the same project. One application can contain a combination of several scans, as well as issues imported from third-party scanners. All findings are consolidated at the application level.

To configure parameters for one or more applications:
  1. On the HCL AppScan Integration page in Jira Cloud click the Configuration tab.
  2. From the Applications drop-down list, select one or more applications for which to configure import of security issues. To configure for all applications, select All.
    Note: When you select more than one application, changes to configuration parameters are applied to each of them.
  3. Specify Policy IDs. Optional.

    Use a comma-separated list to specify multiple policy IDs.

  4. Filter issues to import based on issue Status, Severity, and Scan Type.

    The HCL AppScan Integration import issues to Jira Cloud based on selections made here. You can select multiple values for each filter.

    Filter Values Default selection
    Status
    • Open
    • In progress
    • Reopened
    Open
    Severity
    • Critical
    • High
    • Medium
    • Low
    • Informational
    All
    Scan Type
    • DAST
    • SAST
    • SCA
    • IAST
    All
  5. From the Jira project drop-down list, specify the Jira project into which the integration places the issues from AppScan on Cloud.
  6. At the Jira issue type drop-down list, specify the type of Jira issue that should be created for each issue imported from AppScan on Cloud.

    The drop-down is populated with Jira ticket types based on the project selected in step 5. Available Jira issue types may include Improvement, Task, Sub-task, New Feature, Bug, and Epic.

  7. In the Status management section, click the checkbox to enable or disable automatic status manamgement, and confirm your selection in the resulting dialog box.. When enabled, issues marked Done in Jira are automatically updated to Fixed in AppScan on Cloud.
  8. For each AppScan severity, select a Jira priority, thus mapping AppScan on Cloud issues to Jira issues in the manner that best suits your organization

    Default issue mapping is shown here:

  9. Click Save configuration

    This configuration used when initiating ad-hoc one time imports or scheduled imports for the selected AppScan on Cloud application or applications.

One-time import

To initiate an ad-hoc import of issues from AppScan on Cloud using the saved configuration:
  1. On the HCL AppScan Integration page in Jira Cloud click the One-time import tab.
  2. Specify the maximum number of issues to import per application.
  3. Click Import now.

    The integration shows the import status, including the count of issues imported. When complete, the integration displays a success message.

Automatic Import

To schedule recurring imports based on the saved configuration:
  1. On the HCL AppScan Integration page in Jira Cloud click the Automatic import tab.
  2. Specify a frequency for importing issues.
  3. Specify the maximum number of issues to import per application.
  4. Specify additional information according to frequency specified:
    Frequency Additional information required
    Hourly None. The import occurs at the top of every hour.
    Daily Time of day
    Weekly Day of week and time of day
    Monthly Date and time of day
  5. Click Schedule auto import.

History

To view import history:
  • On the HCL AppScan Integration page in Jira Cloud click the History tab.

    View details of recent import jobs, such as import ID, last run date/time, import type, issues imported, and status.

Sample Jira ticket

  • The summary includes the scanning technology that detected the issue.
  • The Description contains the relevant details about the issue including
  • The Environment field contains the HCL AppScan environment that detected the issue.
  • The attached file is a single-issue report that a developer can use to understand the details of the issue. For SAST issues, the attached file contains the stacktrace of the issue. For DAST issues, the file contains the Request/Response Details.

Troubleshooting

Once the integration is installed, HCL Software has access to the logs that are generated when the integration is used. The logs contain technical information about activities, import jobs, and so on. If you have technical issues, we can use the logs to diagnose and troubleshoot the issue.

To check the content of the logs, download and review them:
  1. Visit https://support.atlassian.com/security-and-access-policies/docs/manage-your-users-third-party-apps/#Manageconnectedapps-Troubleshootanapp.
  2. Click Troubleshoot an app.
  3. Follow the instructions shown.
You can also disable log access at any time:
  1. Visit https://support.atlassian.com/security-and-access-policies/docs/manage-your-users-third-party-apps/#Manageconnectedapps-Troubleshootanapp.
  2. Click Disable log access.
  3. Follow the instructions shown.
    Note: Granting log access give us access to logs for up to 60 days ago, even if sharing wasn’t active before then. When you disable access to logs, we can no longer see any logs that have been created inside your site.