Integrating Crowdcontrol with Jira On-Prem

Bugcrowd can be integrated with Jira that is installed on-premise using Crowdcontrol and Jira APIs. The On-Prem Crowdcontrol Jira Integration application performs the integration and the program submissions are created as Jira tickets based on the configuration settings.

You must perform the following:

  1. Configure Jira On-Prem on your system
  2. Install Ruby
  3. Access On-Prem Crowdcontrol Jira integration files
  4. Run bundle command
  5. Update configuration YAML file
  6. Run On-Prem Crowdcontrol Jira integration

Clients must allow list the following IPs. The IPs are a cluster of proxies that provide high availability for outgoing integration requests.IPs:

  • 52.1.126.10
  • 52.86.183.27
  • 52.86.229.29

Port:

  • 443

The port may vary depending on your Jira configuration. The default port used for Jira is 443 SSL / TL. If you have any issues, send an email to support@bugcrowd.com.

Configuring Jira On-Premise

After installing Jira On-Prem on your system, you must configure and start the application. For more information, see Jira documentation.

Installing Ruby

Install Ruby 2.4 or later on your system. Add an argument command to your profile. In case you are using the common ~/.bash_profile, then add the following: echo 'eval "$(rbenv init -)"' >> ~/.bash_profile'

Accessing On-Prem Crowdcontrol Jira Integration Files

To access the On-Prem Crowdcontrol Jira Integration files, send an email to your account manager. After you get access, clone the files to your system.

Running Bundle Command

Run bundle from the cloned repository. All the bundle gems are installed.

Updating Configuration YAML File

The configuration YAML file (config.yml) is required to integrate Crowdcontrol with Jira On-Prem. This file is available in the /config subdirectory.

General Settings

Specify the following general settings:

  • Update frequency: Time to wait (in seconds) between scraping all submissions and child objects before starting again from the top.
  • Download directory: Location of the downloaded files. It can be a relative value or an absolute path.

Crowdcontrol values

Specify the following values for Crowdcontrol:

  • Base URI: Base URL of Crowdcontrol.
  • Crowdcontrol bounty ID: Crowdcontrol bounty ID is the parent key. If you do not know the bounty ID, leave it blank within single quotes and run the bin/start command. The available bounties in Crowdcontrol will be displayed in the following format: (ProgramName => ID) Copy the required ID and paste it as the value for Crowdcontrol bounty ID.
  • Jira project ID: Jira project ID that must map to the bounty ID. To get the Jira project ID, in Jira hover your mouse on the project name to view the project ID. Usually, it is 10000 onwards.
  • Priorities: Crowdcontrol IDs that must be mapped to Jira priority IDs.
  • Issue Type: Issue type ID in Jira that must be used for all submissions.
  • HTTP Authentication Header: Used for connecting to the Crowdcontrol API. Obtain this value from Crowdcontrol application.
  • Submissions per page: Number of submissions to request and process at a time before calling the Crowdcontrol API again. If it is a very high value, the local memory usage may increase. If it is a very low value, may bombard Crowdcontrol API with requests.
  • Submission Types: Submission with the specified states that must be pushed to Jira. For example, push submissions with Unresolved status to Jira.
  • Timestamp format: Format of the ‘created_at’ timestamp in Crowdcontrol notes, which is mapped to the Note created at in Jira comment.
  • Timeout: Set a timeout (in seconds) value for all Crowdcontrol API requests.
  • VRT cache duration: Time (in seconds) required to locally cache (in RAM) the vulnerability rating names. This must be a higher value unless rating names update frequently.

Jira On-Prem values

Provide the following connection details for the Jira API client.

  • Username: User name to log into Jira On-Prem.
  • Password: Password associated with the user name.
  • Site: Link where Jira On-Prem is hosted.
  • Context Path: Jira installation location in the server. Usually, the path is not specified and it is blank.
  • Use SSL: Set it to true if you want to use SSL authentication for connecting Jira to Crowdcontrol. Else, set it to false.

The Read Timeout, Authentication Type, and HTTP Debug values are hardcoded and must not be changed.

Sample config.yml File

The following code provides a sample configuration file.

    #General settings for this script
    general:
      update_frequency: 10
      downloads_directory: 'downloads'

    #Crowd Control API credentials
    crowd_control:
      base_uri: 'https://api.bugcrowd.com/'
      bounties:
        'ce734644-3dc5-45c7-bbe2-9a6500aad1cd':
          project_id: '10000'
          priorities:
            1: '1'
            2: '2'
            3: '3'
            4: '4'
            5: '5'
          issuetype: '10002'
      http_auth_header: 'onaxmjzzkr:grKdykxpXUEL0PnarY_lAwmyrljqHFJwyPsl4M49eaQVKYAJ-Us6-Wezf'
      submissions_per_page: 100
      submission_types:
        - unresolved
      timestamp_format: '%F %T'
      timeout: 10
      vrt_cache_duration: 86400

    # Jira API credentials
    jira:
      username: user.one
      password: userone_10
      site: https://localhost:8080/
      context_path: ''
      read_timeout: 10
      auth_type: :basic
      use_ssl: false
      http_debug: true

Running On-Prem Crowdcontrol Jira Integration

Run bin/start from the cloned repository.

  INFO Sync2Jira::SyncedObject: Connecting to local database
  INFO Sync2Jira::CrowdControl: Fetching vulnerability ratings
  INFO Sync2Jira::Synchronizers::Submission [ID 2]: Creating on Jira

The Jira tickets are created for each Crowdcontrol submission for a program. For example, if you have specified the issue type as Task in the config.yml file, then each submission will be created as Task in Jira.

For any issues with using On-Prem Crowdcontrol Jira Integration, send an email to support@bugcrowd.com.


Onboarding
Account Management
Security Program Management
Engagement Management
Reporting
Submission Management
Integration Management