We are excited to announce the release of our new Jira plugin. It allows to synchronize security issues detected by RIPS with your existing Jira issues so you can track and collaborate on software bugs in a single place.

Jira Software

Jira Software is a proprietary product developed by Atlassian that is the most widely known issue and project management tool. One of the core values is to help teams and organizations to track and manage software development tasks within issue tickets. The issue types, priorities, and workflows can be fully customized to the requirements of each individual team in the organization. Jira is tightly integrated with other products from the Atlassian shelve, such as BitBucket and Bamboo. We already offer an integration for BitBucket and Bamboo that enables continuous integration of our best-in-class security analysis into your existing workflow. Extending our repertoire in the Atlassian Marketplace with a Jira plugin is the next step for a complete workflow integration to ease your daily work.

RIPS Jira Plugin

RIPS is the leading solution for fully automated security analysis of PHP applications. Our new plugin synchronizes RIPS and Jira so that new detected security issues, as well as user-added review labels and comments, stay up-to-date on both instances. After a plugin installation and configuration the following information will be synchronized:

RIPS → Jira

• Detected security issues by RIPS

RIPS ↔ JIRA

• Your review labels
• Your comments

In the following, we have a look how to easily configure and setup the new RIPS Jira plugin.

Configuration

The configuration options are shown in Figure 1. Simply point Jira to your RIPS SaaS server or On-Premises installation and select a specific application that is scanned for security bugs in RIPS. You can then map Jira priorities and RIPS severities, and select the issues categories that should be kept in sync.

After the initial setup, the plugin automatically creates a new issue type (RIPS) and a new workflow that matches the one used by RIPS. No existing workflow or issue type in your Jira will be manipulated.

Additionally, there are three buttons to manage the synchronization:

• Manually trigger a synchronization of the last scan found for the specified application
• Pause or resume the synchronization (in both directions)
• Delete all project associated settings (issues have to be deleted manually)

Issue Display

The display for the RIPS specific issues is customized by the plugin to ensure that almost all information that is available in RIPS is available in Jira as well. You find all important information known from the RIPS UI integrated in the issue panel, in the activity bar, or in the general issue details. Thereby it is not necessary to switch between different solutions and you can fully keep your existing workflow with Jira.

The RIPS issue type information will be shown in the panel on the right and contains exactly the same information as the RIPS UI.

Furthermore, two new tabs were added to the activity panel. The first one shows the latest RIPS Issue Summary which describes the issue in detail and displays all relevant lines of code (see Figure 4). The second tab displays the reconstructed exploit context which summarizes how the data from the source will be inserted into the sink (see Figure 5).

This way, you can easily verify security issue directly from your Jira ticket. For further investigation, you can also open the issue in the referenced RIPS UI.

Conclusion

Our new RIPS Jira Plugin allows to fully integrate the scan results of RIPS into Jira. This enables to manage detected security vulnerabilities right next to all other issues and tasks related to your development project in a single place to smoothen your daily workflow. Managing security issues in your team will be easier and fixes can be coordinated quicker.

You can find more information and an installation guide on our documentation page. The plugin will be released on the Atlassian Marketplace soon and is already available through our file server.

Update 2018-09-19

The plugin is now available through the Atlassian Marketplace.