Send security information to Jira Software and enable your teams to turn unplanned vulnerabilities into planned and tracked work.

Security is everyone's responsibility, and the security feature in Jira lets you triage and track relevant vulnerabilities as a team. Discuss and prioritise issues, minimise errors and duplication, and plan security work to complete in your sprints.

APIs related to integrating Security information with Jira Software are available to Atlassian Connect apps. To use these APIs you must have a security info provider module in your Connect app's descriptor. See https://developer.atlassian.com/cloud/jira/software/modules/security-information/.

These APIs are available to Forge apps with the devops:securityInfoProvider module in the Forge app's manifest. See https://developer.atlassian.com/platform/forge/manifest-reference/modules/jira-software-security-info/.

Hierarchy

  • CommonHttpService
    • SecurityInformationService

Constructors

  • Internal

    Create a new instance of the service.

    Parameters

    • getClientInstance: (() => CommonHttpClient)
        • (): CommonHttpClient
        • Returns CommonHttpClient

    Returns SecurityInformationService

Methods

  • Bulk delete all linked Security Workspaces that match the given request.

    e.g. DELETE /bulk?workspaceIds=111-222-333,444-555-666

    Parameters

    • params: {
          authorization: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

    Returns Promise<void>

  • Bulk delete all Vulnerabilities that match the given request.

    One or more query params must be supplied to specify Properties to delete by. If more than one Property is provided, data will be deleted that matches ALL of the Properties (e.g. treated as an AND). Read the POST bulk endpoint documentation for more details.

    e.g. DELETE /bulkByProperties?accountId=account-123&createdBy=user-456

    Deletion is performed asynchronously. The GET vulnerability endpoint can be used to confirm that data has been deleted successfully (if needed).

    Parameters

    • params: {
          authorization: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

    Returns Promise<void>

  • Delete the Vulnerability data currently stored for the given ID.

    Deletion is performed asynchronously. The GET vulnerability endpoint can be used to confirm that data has been deleted successfully (if needed).

    Parameters

    • params: {
          authorization: string;
          vulnerabilityId: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read Understanding JWT for more details about Connect JWT tokens.

      • vulnerabilityId: string

        The ID of the Vulnerability to delete.

    Returns Promise<void>

  • Retrieve a specific Security Workspace linked to the Jira site for the given workspace ID.

    The result will be what is currently stored, ignoring any pending updates or deletes.

    Parameters

    • params: {
          authorization: string;
          workspaceId: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

      • workspaceId: string

        The ID of the workspace to fetch.

    Returns Promise<SecurityWorkspaceResponse>

    The Security Workspace information stored for the given ID.

  • Retrieve all Security Workspaces linked with the Jira site.

    The result will be what is currently stored, ignoring any pending updates or deletes.

    Parameters

    • params: {
          authorization: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

    Returns Promise<SecurityWorkspaceIds>

    A list of all stored workspace IDs.

  • Retrieve the currently stored Vulnerability data for the given ID.

    The result will be what is currently stored, ignoring any pending updates or deletes.

    Parameters

    • params: {
          authorization: string;
          vulnerabilityId: string;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read Understanding JWT for more details about Connect JWT tokens.

      • vulnerabilityId: string

        The ID of the Vulnerability to fetch.

    Returns Promise<VulnerabilityDetails>

    The Vulnerability data currently stored for the given ID.

  • Update / Insert Vulnerability data.

    Vulnerabilities are identified by their ID, any existing Vulnerability data with the same ID will be replaced if it exists and the updateSequenceNumber of the existing data is less than the incoming data.

    Submissions are performed asynchronously. Most updates are available within a short period of time but may take some time during peak load and/or maintenance times. The GET vulnerability endpoint can be used to confirm that data has been stored successfully (if needed).

    In the case of multiple Vulnerabilities being submitted in one request, each is validated individually prior to submission. Details of Vulnerabilities that failed submission (if any) are available in the response object.

    A maximum of 1000 vulnerabilities can be submitted in one request.

    Parameters

    • params: {
          authorization: string;
          submitVulnerabilitiesRequest: SubmitVulnerabilitiesRequest;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

      • submitVulnerabilitiesRequest: SubmitVulnerabilitiesRequest

        Vulnerability data to submit.

    Returns Promise<SubmitVulnerabilitiesResponse>

    Submission accepted. Each Vulnerability submitted in a valid format will eventually be available in Jira.

    Details of any Vulnerabilities that were submitted but failed submission (due to data format problems, etc.) are available in the response object.

  • Insert Security Workspace IDs to establish a relationship between them and the Jira site the app is installed on. If a relationship between the workspace ID and Jira already exists then the workspace ID will be ignored and Jira will process the rest of the entries.

    Parameters

    • params: {
          authorization: string;
          submitSecurityWorkspacesRequest: SubmitSecurityWorkspacesRequest;
      }
      • authorization: string

        All requests must be authenticated as an app — either with a Connect JWT token for Connect apps, or with an OAuth 2.0 access token for Forge and OAuth 2.0 apps — that corresponds to the Provider app installed in Jira.

        If the app does not define a security information provider module, or does not have the required scope, the request will be rejected with a 403.

        Read understanding jwt for more details about Connect JWT tokens.

      • submitSecurityWorkspacesRequest: SubmitSecurityWorkspacesRequest

        Security Workspace IDs to submit.

    Returns Promise<void>

  • Method to initialize the class. Normally used to set up validation rules.

    Returns void