Configure DAST or SAST Settings

Select Configure DAST Settings or Configure SAST Settings to set your default reporter and assignee, map assets or groups to JIRA® projects, and map ticket priority to WhiteHat Dynamic ratings. The settings for each are broadly comparable, but some specifics will be called out where relevant.

  1. To Configure DAST/SAST Settings select Enable DAST integration or Enable SAST integration.

    Until the radio button is set to Yes, no other configuration options will be available.
    config dast jira plugin 1

  2. Select the Yes radio button. Once you have selected Yes, you will see the configuration settings. This will allow you to:

    • Set the default Reporter for JIRA® tickets generated by the plugin

    • Set the default Assignee for JIRA® tickets generated by the plugin based on asset-and-project combinations

    • Map Vulnerability Ratings to JIRA® Priorities

    • Configure JIRA® Tickets

Basic Configuration

This shows the screen for selecting Sites using DAST. If configuring SAST, you have the option to select Applications.

  1. Type the name or email of your default reporter in the search bar provided and then select your default reporter.

    config dast jira plugin 2

  2. Set the default JIRA® assignee for a given asset (site or application) and associated JIRA® project. (This will map these assets to the JIRA® project(s) in question.) To set default assignees by group rather than asset, select the Sentinel Groups radio button. In this case, all assets in a group will be associated to the JIRA® project selected.

  3. Select the asset from the list of Sentinel sites.

  4. Select a project from the Projects list to assign.

  5. Type the name or email of your default assignee in the search bar provided and then select them from the list.

  6. To create additional default assignees and asset-to-project mappings, click on Add.

Only one user can be selected as the default reporter in JIRA®. Only one user can be set as the default assignee to any given asset-project mapping. If Unassigned is selected for the Username field, any tickets generated will show the default assignee for that project.

Reporter Permissions Required

A reporter must have the following privileges for the project:

  • Assign Issue

  • Close Issue

  • Create Issue

  • Edit Issue

  • Modify Reporter

  • Resolve Issue

  • Transition Issue

  • Comment Issue

If you attempt to assign a user as reporter who does not have these permissions for the appropriate project, you will receive an error message.

Mapping Vulnerability Ratings to JIRA® Priorities

Vulnerability ratings for Source (SAST) vulnerabilities will all automatically use the WhiteHat Advanced Rating Methodology, which is based on OWASP ratings. Vulnerability ratings for Dynamic (DAST) Vulnerabilities may use either the WhiteHat Advanced Rating Methodology or the Legacy Methodology.

  1. Select the vulnerability rating to use for DAST configuration.

    config dast jira plugin 3

    For more information on choosing Legacy Ratings or Advanced Ratings, see Understanding the Rating Methodologies.

  2. The default mapping will associate the most severe rating with the highest JIRA® priority. You can change this mapping using the drop-down lists.

  3. Select the vulnerability ratings that should (checked) or should not (unchecked) be used to create JIRA® tickets.

    JIRA® tickets will now be created for vulnerabilities rated Critical, High, or Medium. Critical vulnerabilities will receive the Highest JIRA® priority, High risk vulnerabilities will receive a JIRA® priority of High, and Medium risk vulnerabilities will receive a JIRA® priority of Medium. JIRA® tickets will not be created for vulnerabilities with a rating of Low or Note. In addition it is also possible to limit vulnerabilities that will result in JIRA® tickets based on the Sentinel tags associated to the vulnerability.

  4. Click Add under Allow vulnerabilities that have these tags:

    config dast jira plugin 4

  5. Type the tag name in the Vuln Tag Name text field.

  6. To remove tags, click on the checkbox next to the tag in question.

If you select any tags to be used to create JIRA® tickets, only vulnerabilities that have at least one of the listed tags in the WhiteHat Portal will be used to create JIRA® issues.

Set Vulnerability Viewing Authorizations for Dynamic (DAST) Vulns

You can authorize JIRA® groups to view content from the vulnerabilities discovered via dynamic (DAST) testing, including retest status, notes and tags, and Synopsys Threat Research Center team responses to questions.

  1. Select the relevant radio buttons to configure the type of vulnerability information that is visible to specific groups.

    config dast jira plugin 5

  2. Select a group from the Select Groups table.

This information will appear in the summary section of your tickets.

Set Vulnerability Viewing Authorizations for Static (SAST) Vulns

You can authorize JIRA® groups to view content from the WhiteHat Portal vulnerabilities discovered via static (SAST) testing, including notes and tags, and Synopsys Threat Research Center team responses to questions.

  1. Select the relevant radio buttons to configure the type of vulnerability information that is visible to specific groups.

    config sast jira plugin 5

  2. Select a group from the Select Groups table.

This information will appear in the summary section of your tickets.

Configure JIRA® Tickets

  1. To import closed vulnerabilities select the Import closed vulnerabilities checkbox.

    config dast jira plugin 6

  2. To customize the ticket summary select the Customize ticket summary checkbox.

  3. To customize the ticket description select the Customize ticket description checkbox.

  4. Optionally, to see customization parameters, check the checkbox next to See Customization Parameters

    config dast jira plugin 7

  5. When you have completed configuration for DAST or SAST settings according to your preferences, click Save.

If you’ve set a Custom Asset ID for this site or application (from the Overview tab in the WhiteHat Portal), it will appear as a field in the ticket Details.