Sync Jira Issue and Vulnerability Object
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Problem to solve Today a Jira Issue can be created from a vulnerability in GitLab. Customer's treat Jira as their SSOT for their vulnerability backlog. Today when a Jira issue is closed, it does not reflect back on the GitLab Vulnerability Object. The same goes if the GitLab Vulnerability object closes, Jira issue is not closed.
It would be nice to propagate closure between issues and vulnerability objects to reduce redundant grooming of vulnerabilities.
Further details GitLab has a feature to create a JIRA issue from a vulnerability. To further expand on this feature, a 500 Premium customer would like to request for an improvement on automatically updating the JIRA issue status whenever the vulnerability status is updated on the GitLab UI. The current way to do it is to go into JIRA and updating the issue manually, or resolving the CVE with a merge request and mentioning the JIRA issue ID.
Note that the customer has trialled GitLab Ultimate and is requesting this feature. I have attached an example of what they are looking for (this is Snyk's integration with JIRA)
Current workarounds
GitLab expose the Jira issue IDs via the externalIssueLinks field in GraphQL:
query vulnerabilityExternalIssues($fullPath: ID!) {
project(fullPath: $fullPath) {
id
vulnerabilities {
nodes {
severities
externalIssueLinks {
nodes {
id
linkType
externalIssue {
externalTracker
relativeReference
}
}
}
}
}
}
}Please collect all the severities and Jira IDs, then perform the update via the Jira API.