Update to Jira Connect App qsh verification

Atlassian is introducing a breaking change to address a security vulnerability:

Action required: Atlassian Connect vulnerability allows bypass of app qsh verification via context JWTs

It looks like our app is affected because we are using JWT authentication. We do verify the qsh claim but we should still follow the steps described here.

Setting priority2 because the change will be enforced by Jun 7, 2021.

changed due date to June 07, 2021

added JiraGitLab for Jira Cloud app backend groupecosystem [DEPRECATED] priority2 labels

Setting label(s) devopscreate sectiondev based on ~"group::ecosystem".

added devopscreate sectiondev labels

@Andysoiron @mnohr I wonder if we should also backport this change, to reduce the breakage for users on older GitLab versions. I guess technically we could treat it as a security fix, except that the vulnerability was on the Jira side rather than GitLab.

@toupeira I think we may need to do that. If we make the change in %14.0, then customers will not get the fix until mid-June. That only gives customers a couple of weeks until this is enforced.

Atlassian has introduced a breaking change that will be enforced on June 7, 2021. This date is after we are able to implement and release the fix (%14.0, June 22).

I've created a backporting request to backporting the fix to older releases https://gitlab.com/gitlab-org/release/tasks/-/issues/2451.

https://docs.gitlab.com/ee/policy/maintenance.html#backporting-to-older-releases

I've asked about the security fix https://gitlab.com/gitlab-org/release/tasks/-/issues/2451 and we should implement this following the security release process with the backports in https://gitlab.com/gitlab-org/security/gitlab.

changed milestone to %14.0

added Category:Integrations security labels

added security-sp-label-missing security-triage-appsec labels

added severity2 label and removed security-sp-label-missing security-triage-appsec labels

@deuley @leipert @mnohr @mhenriksen This issue is ready for triage as per HackerOne process.

About this automation: AppSec Escalation Engine

added [deprecated] Accepting merge requests label

added Backlog RefinementIntegrations workflowplanning breakdown labels

mentioned in issue #328610 (closed)

@Andysoiron Is the work required to just add context-qsh: true into our app descriptor's apiMigrations?

@.luke yes as far as I understand the description from Atlassian this is all we need to do. In addition to that we should do some testing to make sure it still works

added workflowscheduling label and removed Backlog RefinementIntegrations workflowplanning breakdown labels

set weight to 2

added Deliverable label

removed workflowscheduling label