How can we create a Jira ticket from within SonarQube regarding a specific issue (i.e. a new vulnerability or security hotspot) in SonarQube that concerns a SonarQube user?
We do not want to create Jira tickets for all SonarQube issues that are found
We want Jira tickets to be created at the prompting of a user
Alternatively, what support does SonarQube have for Jira? I suspect any kind of “display everything in Jira” is an anti-pattern, and I hope this description helps explain why we’re not trying to accomplish displaying everything in Jira. The end goal is for our Security team to be able to review developer flagged false positives as tickets in Jira that point to SonarQube issues, review justification, and have an auditable, reportable, trackable dialog.
I believe we may be able to achieve something similar by tagging individual issues in SonarQube as “security-review” (or another reasonably descriptive tag), and having the developer leave a comment on the issue as to why. However, this forces our audit trail to exist within SonarQube (but we’ve found tracking by tags over time to be inaccurate), forces discussions to be had within SonarQube, and ultimately leaves us in a much more complicated process / workflow.
Alternatively, we can allow developers in SonarQube to administer issues, but we would only want this if we can’t find a better approach.
We used to directly expose endpoints that would let you do this sort of thing. But we removed them a long time ago because our experience showed that in the end it just didn’t lead to useful outcomes. (E.G. creating a ticket for every issue.)
I agree that this gets complicated, but I don’t think it’s any more complicated than it would be with Jira in the mix since you’d still be faced with trying to match between the Jira ticket and the issue.
Tags may be a good starting point in the communication. The auditor can filter on the tag to find new issues to look at, then
create the Jira ticket
comment the issue with the ticket number
diagnose the issue and update the Jira ticket with the reasoning
mark the issue FP/WF, or not
remove the tag
Alternately, you could put an automation in the middle to find the issues, create the Jira tickets, assign them to the auditors, and comment the issues. That could work either with tags or by giving the developers issue admin (the rights to mark FP/WF).
Note also that there’s a project-level notification you can subscribe to for issues newly marked FP/WF.