Jira Smart Dependency Checker v0.4.3

A Jira application that makes developer resolution of security vulnerabilities, identified by OWASP Dependency-Check, clearer, simpler, easier and faster.

Comment

Inspiration

Leveraging Static Analysis Tools (SAST), like OWASP Depency-Check, in CI/CD pipelines is a great way to keep informed of security vulnerabilities that might get introduced into a custom software project through the software bill of materials (SBOM) underlying its creation.

Sometimes, however, it can be difficult for a human developer to parse the OWASP Dependency-Check reports in order to correctly identify priorities, much less actually figure out what steps to take to actually correct a given security vulnerability.

Our 'Jira Smart Dependency Checker' was bourne from experience in trying to correct security vulnerabilities identified in the SBOM in hopes of leveraging Jira APIs and AI to help make the process faster, easier and simpler.

What it does

The 'Jira Smart Dependency Checker' parses an OWASP Dependency-Check JSON file, pulls-out identified security vulnerabilities, culls associated CVE and associated summaries from the NIST NVD website, sends these summaries to ChatGPT in a prompt requesting further clarification and mitigation steps, and then allows the developer to automatically create a Jira ticket containing all of this information.

How we built it

We built the ' Jira Smart Dependency Checker' to run 100% in the Atlassian cloud (minus ChatGPT calls and data calls to an S3 bucket), using Forge API, UI, cheerio and openai APIs.

Challenges we ran into

The biggest problem is the http timeout of 25 seconds.

Accomplishments that we're proud of

Testing the MVP to see if the CVE mitigation workflow could make a developer's life easier and actually submitting working code to the hackathon.

What we learned

  • How to use the Atlassian forge cli, API, and UI to make a Jira App.
  • How to use the OpenAI Node API to send completion prompts.
  • How a forge App behaves in the Atlassian Cloud.

What's next for Jira Smart Dependency Checker v0.4.3

  • Re-do the architecture to avoid the Atlassian Cloud 25 second http timeouts
  • Perhaps turn the MVP into a fully functional Application in the marketplace

Built With

Share this project:

Updates