Sonatype Nexus IQ and Atlassian Jira can communicate through the use of webhooks. You can now more tightly integrate security vulnerability mitigation to your software development lifecycle.
Thought you could escape detected vulnerabilities by never leaving your Kanban board? Think again!
By integrating Sonatype’s Nexus to Jira, a Nexus IQ security policy evaluation will automatically generate a Jira issue in the project of your choosing.
How does it work?
The integration consists of the following stages (we’ll go into more detail below):
- installing the Jira plugin and connecting it to your Nexus IQ server
- giving your Nexus IQ policy evaluation a webhook notification action
- enabling the integration in your Jira project.
Installing the Jira plugin
You can find the Nexus IQ for Jira add-on in the Atlassian marketplace. If you have the necessary permissions to install add-ons, you can go ahead and download it to your Jira server.
Here’s what the Nexus IQ add-on looks like in the Jira marketplace
The settings for the add-on live in the applications tab of the administration pages. You’ll find three different settings areas: one for actually configuring the connection to Nexus IQ, and two areas showing what kind of information the plugin has successfully pulled from your Nexus IQ server, namely applications and organizations.
In the Jira configuration area you’ll have all the information you need to create a connection between Nexus IQ and Jira. After this you can move on to configuring the conditions that will trigger a webhook.
Nexus IQ Policy: Webhook notification action
Let’s say I would like to get Jira tickets for violations that happen in the staging and release branches. I will edit my custom policy to only fail builds and send notifications if the code is in the build or release stage. After setting the action parameters I enabled the webhook to those same stages.
The configuration screen for policies in Nexus IQ
To the Kanban Board
Let’s go back to Jira. I opened the project that I’d like to enable the webhook issue creation to. I chose ‘bug types’ for these Nexus IQ issues. It’s important to add a label to all tickets. A helpful name like – Nexus-IQ – is great for this purpose.
To ensure maximum visibility and minimum annoyance, we will use swimlanes in our Kanban board to separate the Nexus IQ reports from basic development tickets, while still keeping them visible.
The example Kanban board with swim lanes for Nexus IQ issues
And to show you what the final result looks like, here is a ticket created from a demo run:
An expanded view of an issue generated by Nexus IQ
I’ve walked you through the general steps needed to enable the integration between Nexus IQ and Jira.
Visit the official documentation page for more detail if need be: https://help.sonatype.com/integrations/nexus-iq-for-jira
Published: Sep 13, 2019
Updated: May 26, 2021
