snyk-tech-services / jira-tickets-for-new-vulns Goto Github PK

Hi Team,

Is there a way I can only open the ticket if the vulnerability is either upgradable or patchable? Something like the flag --fail-on=all (https://docs.snyk.io/snyk-cli/commands/test#fail-on-less-than-all-or-upgradable-or-patchable-greater-than)

Currently, I can only see one option --ifUpgradeAvailableOnly that creates tickets for vuln that are upgradable, but this doesn't cover patchable issues. Is there a way I can do that? Is this a flag not yet included in the code or am I missing something?

Thanks

Hi Team
I'm trying to create JIRA ticket, but facing the error mentioned in screenshot, tried using --debug flag to get some error info but not really able to figure the issue from same. Is there something I should be doing differently?

Here is the command I've used
./snyk-jira-sync-macos --token=<token> --orgID=1<orgID> --projectID=<projectID> --dryRun=true --configFile=<configFileDir> --debug=true

When this tool encounters a project with a vulnerability that has a title of "/bin/" in the title in Snyk, it will fail creating the issue with a nondescript error code, as shown below:

*** ERROR *** Please check the format config file unexpected end of JSON input
open : no such file or directory
*** ERROR *** Could not read file at location: . Please ensure the file exists and is formatted correctly.
ERROR: open: no such file or directory

This is misleading, since it is not a JSON error, but rather a HTTP Error code 403 response, since I can reproduce this error in the Snyk Web UI by finding the project in question, obtained from the above log (the last "Step 1/4 - Retrieving project <PROJECT_UUID>" message) and pressing the "Create a Jira Issue" for the vulnerability for this. This will just print out "Failed to create the Jira issue" and log a network request error with the 403 response code as shown below:

POST https://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new

With the response content of:

Access Denied
You don't have permission to access "http://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new" on this server.

Reference #18.e6e22517.1713957523.146c0bb9

https://errors.edgesuite.net/18.e6e22517.1713957523.146c0bb9

Suggestion:

1:
Handle HTTP errors relating to the Web Application Firewall, which fails with HTTP Error code 403, likely to prevent Path Traversal attacks.

Perhaps continue with the rest of the tasks after this failure and perhaps print out the failed task in the end?

2:
Otherwise, a solution could be to change the summary of the To Be Created Jira Issue, to sanitize and remove illegal character combinations. For example, what worked for this specific issue was to replace the "/bin/" part of the issue summary to something like "bin", like so:
Original: <APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local/bin/<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5
Sanitized: <APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local_bin_<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5

I tested this sanitazion, and successfully created a Jira Issue with the following cURL:
curl 'https://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new' -X POST --data-raw '{"projectId":"x","issueTypeId":"x","assignee":null,"summary":"<APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local_bin_<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5", ...}'

A weird thing, the summary cannot contain "/bin/" but the description can contain "/bin/" just fine? Strange behavior.

Hi the latest version is not executing for me.
It fails with the error:

*** ERROR *** config file not found
2022/04/20 19:08:51 *** ERROR *** Missing mandatory flags &{ https://snyk.io/api

Command:
./snyk-jira-sync-macos --token {} --priorityIsSeverity --jiraProjectKey AR --debug --dryrun --orgID {}

even running ./snyk-jira-sync-macos --help throws same error

Hi Team
While using --severity flag along with command, it is not working as expected for lower priorities , it takes all higher priorities as well. While it should only use the severity passed with flag by user
For eg:
--severity: critical (creates ticket for critical issues)
--severity: high (creates ticket for critical and high issues while it should create tickets for high issues)
--severity: medium (creates ticket for critical, high and medium issues while it should create tickets for medium issues)
--severity: low (creates ticket for critical, high, medium and high issues while it should create tickets for low issues)

The library golang.org/x/text version 0.3.7 was detected in Golang binary located at /snyk-jira-sync-linux and is vulnerable to CVE-2022-32149, which exists in versions <0.3.8.

The vulnerability was found in the The Go Vulnerability Database with vendor severity: High (NVD severity: High).

Note: If this library is owned by a 3rd party vendor (e.g. open source library), follow the vendor's release-notes to check remediation options.

Rather than creating a single Jira ticket per Snyk project issue, there should be an option to create a single Jira ticket per Snyk target. For example, if the Snyk target snyk/goof has 3 vulnerabilities with critical severity and mature exploit-ability, enabling this toggle would allow for the creation of a single Jira ticket including the Snyk project issue links for all 3 tickets. This example assumes the optional severity and maturity were used.

Hi Team,

I have noticed an issue with the code: the IssueType=License is not parsed correctly. If you look at the code here https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/vulns.go#L177, it is parsing

for _, e := range j.K("issues").K("licenses").Array().Elements() {

for the type: license flag. But this will never parse the Snyk log correctly because
a) its license, not licenses and
b) the key is issueType not issue

I used the below output of the aggregated-issue API call from the code. As you can see even though I have a license issue matching the filter I am passing, it is not creating the Jira ticket.

`2022/07/10 10:50:55 *** INFO *** Body : {"filters":{"severities":["critical","high"],"priority":{"score":{"min":0,"max":1000}},"types":["license"],"ignored":false,"patched":false}}

2022/07/10 10:50:55 ************************* AGGREGATED ISSUE OUTPUT *******************************************
2022/07/10 10:50:55 {map[issues:[map[fixInfo:map[isFixable:false isPartiallyFixable:false isPatchable:false isPinnable:false isUpgradable:false nearestFixedInVersion:] id:XXXXX:false isPatched:false issueData:map[exploitMaturity:no-data id:XXXX isMaliciousPackage:false language:js nearestFixedInVersion: publicationTime:2022-07-03T18:02:34.595Z semver:map[vulnerable:[>=0]] severity:high title:xxxx url:https://snyk.io/vuln/xxxx] issueType:license links:map[paths:https://app.snyk.io/api/v1/org/xxxx/project/xxxx/history/xxxx/issue/xxxx/paths] pkgName:xx pkgVersions:[xx] priority:map[factors:[map[description:Recently disclosed name:isFresh] map[description:High severity name:severity]] score:625] priorityScore:625]]] true}
2022/07/10 10:50:55 ********************************************************************

2022/07/10 10:50:55 *** INFO *** List of vuln without tickets: map[]
2022/07/10 10:50:55 *** INFO *** Step 4/4 - No new Jira ticket required`

A simple fix is copying the parsing of vulnerability and changing to following

for _, e := range listOfIssues {
		if e.K("issueType").String().Value == "license" 

The script sends a post request for endpoint /api/v1/org/{orgID}/project/{projectID}/issue/{issueID}/jira-issue and return a exception error entity.parse.failed with http status code 400 bad request.

I read the documentation for create-jira-issue and it shows they are exactly the same attributes being passed in the request on line 179 of the jira.go.

I think the problem is in the request body in the description attribute.

Request body
{ "fields": {"project": {"id":"{projectID}"} ,"summary":"generic/project/name - Cross-Site Request Forgery (CSRF)", "description":"\r\n \\*\\*\\*\\* Issue details: \\*\\*\\*\\*\n\r\n Title: Cross\\-Site Request Forgery \\(CSRF\\)\n Summary: CSRF protection is disabled by setting the value to \\_. This allows the attackers to execute requests on a user's behalf.\n Severity: low\n PriorityScore: 434\n PriorityScoreFactors:\n \\- Found in multiple sources\n \\- Found in a file appearing in multiple code flows\n \\- Has fix examples available \r\n *_Impacted file:_*\n\r {impactedFile}\n \\- startLine: 32\n \\- startColumn: 9\n \\- endLine: 32\n \\- endColumn: 38\n\n[See this issue on Snyk|https://app.snyk.io/org/{org}/project/{projectId}]\n\n", "issuetype":{ "name":"Bug"} }

Response body
{"expose":true,"statusCode":400,"status":400,"body":"{ \"fields\": {\"project\": {\"id\":\"number\"} ,\"summary\":\"generic/project/name - Cross-Site Request Forgery (CSRF)\", \"issuetype\":{ \"id\":\"number\"} } ","type":"entity.parse.failed"}

Please can you help me?

Hi,

I created a docker image in order to run the utility in in one of our kubernetes clusters. The image builds just fine but when I try to run it in kubernetes I get the following:

2022/06/30 03:29:41 *** INFO *** Project ID not specified - listing all projects that match the following filers:  projectCriticality:
 projectEnvironment:
 projectLifecycle:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x8442d1]

goroutine 1 [running]:
main.makeSnykAPIRequest(0x93ef2d, 0x3, 0xc00002c230, 0x48, 0x7ffff3a54dc2, 0x24, 0x0, 0x0, 0x0, 0xc00002c200, ...)
	/home/circleci/project/snyk_utils.go:38 +0x441
main.getOrgProjects(0xc000024510, 0x24, 0x9489a2, 0x13, 0x7ffff3a54dc2, 0x24, 0x0, 0x0, 0xc000028eb8, 0x4, ...)
	/home/circleci/project/snyk.go:65 +0x1a7
main.getProjectsIds(0xc000024510, 0x24, 0x9489a2, 0x13, 0x7ffff3a54dc2, 0x24, 0x0, 0x0, 0xc000028eb8, 0x4, ...)
	/home/circleci/project/snyk.go:90 +0x1ac
main.main()
	/home/circleci/project/main.go:24 +0x104

Here's my Dockerfile

FROM alpine:3

ENV VERSION 1.29.0
WORKDIR /snyk
RUN wget -q https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/releases/download/${VERSION}/snyk-jira-sync-linux
ENV PATH /snyk:$PATH
COPY jira.yaml /snyk/
COPY entrypoint.sh /snyk/
RUN apk add --no-cache libc6-compat gcompat su-exec && \
    chmod +x snyk-jira-sync-linux entrypoint.sh

ENTRYPOINT ["/snyk/entrypoint.sh"]

And my entrypoint.sh:

#!/bin/sh

if [[ -z $SNYK_API_TOKEN ]];then
    echo "SNYK_API_TOKEN variable required."
    exit 1
fi

su-exec nobody /snyk/snyk-jira-sync-linux --configFile=/snyk --token=${SNYK_API_TOKEN} --debug=${DEBUG:false}

Any help/insight you can provide would be welcome.

When trying to use the --isUpgradeAvailableOnly flag to try to only create Jira tickets for fixable problems, I hit the issue of tickets with fixes not being created.

Upon checking the API, I found that the reason was simple: tickets with patches available had isUpgradable set to False, but isFixable set to true.

Suggestion: To prevent breaking things for customers depending on the current implementation of --isUpgradeAvailableOnly, create a second flag (optimally incompatible with each other) called --canAutoPR which would pass if any of the fixInfo fields are true - which I believe would cover any issue that can have an automated PR generated by snyk.

As far as I can tell, the code to add to is mostly here - but I don't know golang well enough to produce a PR.
https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/jira.go#L247

Json response from https://app.snyk.io/api/v1/org/$ORG_ID/project/$PROJECT_ID/aggregated-issues:

{
	"issues": [
		{
			"id": "SNYK-PYTHON-DJANGO-2606969",
			"issueType": "vuln",
			"pkgName": "django",
			"pkgVersions": [
				"3.2"
			],
			"priorityScore": 811,
			"priority": {
				"score": 811,
				"factors": [
					{
						"name": "exploitMaturity",
						"description": "Proof of Concept exploit"
					},
					{
						"name": "isFixable",
						"description": "Has a fix available"
					},
					{
						"name": "cvssScore",
						"description": "CVSS 9.8"
					}
				]
			},
			"issueData": {
				"id": "SNYK-PYTHON-DJANGO-2606969",
				"title": "SQL Injection",
				"severity": "critical",
				"url": "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-2606969",
				"identifiers": {
					"CVE": [
						"CVE-2022-28346"
					],
					"CWE": [
						"CWE-89"
					]
				},
				"credit": [
					"Preston Elder",
					"Jacob Davis",
					"Jacob Moore",
					"Matt Hanson",
					"David Briggs",
					"and Danylo Dmytriiev"
				],
				"exploitMaturity": "proof-of-concept",
				"semver": {
					"vulnerable": [
						"[,2.2.28)",
						"[3.0,3.2.13)",
						"[4.0,4.0.4)"
					]
				},
				"publicationTime": "2022-04-11T16:03:04Z",
				"disclosureTime": "2022-04-11T12:17:04Z",
				"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
				"cvssScore": 9.8,
				"cvssDetails": [
					{
						"assigner": "NVD",
						"severity": "critical",
						"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
						"cvssV3BaseScore": 9.8,
						"modificationTime": "2022-11-08T01:10:40.472234Z"
					}
				],
				"language": "python",
				"patches": [],
				"nearestFixedInVersion": "",
				"isMaliciousPackage": false
			},
			"isPatched": false,
			"isIgnored": false,
			"fixInfo": {
				"isUpgradable": false,
				"isPinnable": true,
				"isPatchable": false,
				"isFixable": true,
				"isPartiallyFixable": true,
				"nearestFixedInVersion": "",
				"fixedIn": [
					"2.2.28",
					"3.2.13",
					"4.0.4"
				]
			},
			"links": {
				"paths": "https://app.snyk.io/api/v1/org/REDACTED/project/REDACTED/history/REDACTED/issue/SNYK-PYTHON-DJANGO-2606969/paths"
			}
		}
	]
}

Reproduction steps:

Create a git repo with a single file, requirements.txt that has the following contents:

django==3.2

Scan the repo with snyk, in an org with jira integration enabled

Try to call this script against that project with the --isUpgradeAvailableOnly flag set

I dont see the Snyk ui vulnerabilities linked to the jira tickets. Perhaps it should work but needs to clear in a queue?

Would also be nice to have two flags to do the following:

forceUpdate: update existing jira tickets. ie. adding a labels or a priority should update the already created tickets.

forceRecreate: any deleted jira tickets should be recreated.

We are just spinning this up internally to create all tickets and when testing using the arguments in the example in the readme we would get an error on a projects that did not have dependencies for instance kubernetes deployment yaml.

*** ERROR *** Could not get aggregated data from https://snyk.io/api org ####-###-###-###-### project ###-###-###-###-### issue ####

Enabling the debug log there is a 404 on that project API endpoint

2021/12/29 10:07:48 *** ERROR *** Request on endpoint 'https://snyk.io/api/v1/org/####-###-###-###-###/project/###-###-###-###-### /issue/####/paths' failed with error 404 Not Found

Adding in the severity argument allowed the software to work as expected.

Whenever I run the sync tickets get created for projects that are marked as inactive. Is there a way to tell the utility to skip those? Additionally, it'd be nice to have an include and/or exclude filter based on tag(s).

I'm running v3.35.1 if that helps.

Noticed in jira.go line no 34DueDate string json:"dueDate,omitempty", dueDate is mapped wrongly . It should be changed with duedate string json:"duedate,omitempty"

2023/07/22 05:38:46 *** ERROR *** VulnID SNYK-JS-HOSTEDGITINFO-10xx3xx ticket not created : Request to /v1/org/aexxxaf9-xxxx-4faa-aedb-c806a9xxx8a/project/cexxx71-xx38-xx6a-9f10-446xxxxxa9/issue/SNYK-JS-HOSTEDGITINFO-10xx3xx/jira-issue failed with : Unprocessable Entity, Request failed

Created from issue #211

When debugging a separate problem, I couldn't understand the actual problem, since there was no error message outputted. As shown below, it just prints out a generic "no such file or directory":

ERROR Please check the format config file unexpected end of JSON input
no such file or directory
Could not read file at location: .
Please ensure the file exists and is formatted correctly.
ERROR no such file or director

It turns out it was because I ran the binary in a Docker Image, and I think it was missing some permissions to write the ErrorsFile.
And when the code runs into an error and tries to print out a failure message, if the ErrorsFile cannot be read/found in the "writeErrorFile" function here: https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/utils.go#L371
Then it will fail with the above shown message about it not being able to read the file.
The errors in the "writeErrorFile" are not handled, and this makes sense, since it usually does not make sense to print errors when trying to read error messages.

But my suggestion is to just output a generic error message, saying that no files were found when looking for other errors.

Hi,

I am trying to add our custom Jira field called "Line of Business" in the jira.yaml file but not sure how to do it. I have tried all the below methods, but everything gave me the same error (except the last one):

2022/03/27 15:47:23 *** INFO *** Please check that all expected fields are present in the config file
2022/03/27 15:47:23 *** INFO *** Details : {"error":"Field 'value' cannot be set. It is not on the appropriate screen, or unknown., Field 'key' cannot be set. It is not on the appropriate screen, or unknown."}
2022/03/27 15:47:23 *** ERROR *** Request failed

1. Jira.yaml

  customMandatoryFields:
        key: 
            Value: Security Team
        transition: 
            id: 12345 <- this is the id of the field in jira

2. Jira.yaml

  customMandatoryFields:
    key: "Line of Business"
    value: "Security Team"

3. Jira.yaml

  customMandatoryFields:
        12345: 
            Value: Security Team

4. Jira.yaml

  customMandatoryFields:
        components: [{"Line of Business": Security Ratings}]

Error

2022/03/27 16:18:04 *** ERROR *** Could not Marshalled new ticket, mandatory fields will no the added json: unsupported type: map[interface {}]interface {}
2022/03/27 16:18:04 *** INFO *** Request on endpoint 'https://snyk.io/api/v1/org/orgID/project/projectid/issue/issueid/jira-issue' failed with error 422 Unprocessable Entity

Can you please help me with it?

Hi folks,

I'm running jira-tickets-for-new-vulns binary every day and since a while we are receiving the following error while scanning ECR container images project:

2023/01/25 11:03:06 *** ERROR *** Could not get paths data from https://snyk.io/api org MY-ORG-ID project MY-PROJECT-ID issue SNYK-UPSTREAM-NODE-3035795

That is preventing the tool to create the jira ticket for the issue.

Any help would be appreciated.
Thanks,

The default date time format for JIRA is "2011-10-19T10:29:29.908+1100" which has hyphen and only considering 2011 when passed as custom filed.

jira_utils.go
supportJiraFormats() method split strings is using - , this need to be changed to support date time format

It runs fine until it hits a specific project... Then it throws an error that is not verbose enough.

snyk-jira-sync --projectID XXXXX --orgID=$SNYK_ORGID --jiraProjectKey=SEC --severity=high --configFile ./ --type=vuln --token=$SNYK_API_KEY --labels=snyk,vulnerability,high --priorityIsSeverity=P2 --debug
2022/04/23 02:01:29 *** INFO *** 1/4 - Retrieving Project XXXXX
2022/04/23 02:01:29 *** INFO *** 2/4 - Getting Existing JIRA tickets
2022/04/23 02:01:30 *** INFO *** 3/4 - Getting vulns
2022/04/23 02:01:30 *** ERROR *** Could not get aggregated data from https://snyk.io/api org XXXXXX project XXXXX issue SNYK-UPSTREAM-NODE-1315789
2022/04/23 02:01:30 Request failed