New flag request: --canAutoPR #182
Comments
|
Thanks for raising this request, this repository is currently in maintenance mode where the team is only working on critical bug fixes and accepting open source contributions. One of my colleagues will be making this change and the team will review once ready. |
thavelock
added a commit
to thavelock/jira-tickets-for-new-vulns
that referenced
this issue
Nov 29, 2022
lili2311
pushed a commit
that referenced
this issue
Dec 2, 2022
lili2311
added a commit
that referenced
this issue
Dec 2, 2022
Thi is to address #182 Co-authored-by: Troy Havelock <troy.havelock@snyk.io>
lili2311
added a commit
that referenced
this issue
Dec 2, 2022
Thi is to address #182 Co-authored-by: Troy Havelock <troy.havelock@snyk.io>
lili2311
added a commit
that referenced
this issue
Dec 16, 2022
* minor: Adding new flag: canAutoPR (#187) Thi is to address #182 Co-authored-by: Troy Havelock <troy.havelock@snyk.io> * minor: Added DueDate support for creating Jira (#185) Added the optional flag for the due date built-in flag. Updated README with instructions Co-authored-by: Alexandre Vallières-Lagacé <alexandre@circleci.com> Co-authored-by: Troy Havelock <troy.havelock@snyk.io> Co-authored-by: Alexandre Vallières-Lagacé <alexandre@circleci.com>
lili2311
added a commit
that referenced
this issue
Jun 22, 2023
major: Migrate to REST List Projects API This is to address #182 Co-authored-by: Troy Havelock <troy.havelock@snyk.io> * minor: Added DueDate support for creating Jira (#185) Added the optional flag for the due date built-in flag. Updated README with instructions Co-authored-by: Alexandre Vallières-Lagacé <alexandre@circleci.com> * minor: align urls with the recommended domains and paths (#192) Switch from: - `snyk.io/api` to `api.snyk.io` - `api.snyk.io/api` to `api.snyk.io` - `snyk.io/vuln` to `security.snyk.io/vuln` - `api.snyk.io/v3` to `api.snyk.io/rest` * minor: use public utility container for github releasing tool (#194) * major: Migrate to REST List Projects API (#199) --------- Co-authored-by: Jeff B <jeff.b@runbox.com> Co-authored-by: Troy Havelock <troy.havelock@snyk.io> Co-authored-by: Alexandre Vallières-Lagacé <alexandre@circleci.com> Co-authored-by: Jérémy Lourenço <jeremy.lourenco@snyk.io> Co-authored-by: aarlaud <antoine@snyk.io> Co-authored-by: Jeff B <jeff.b@runbox.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When trying to use the
--isUpgradeAvailableOnlyflag to try to only create Jira tickets for fixable problems, I hit the issue of tickets with fixes not being created.Upon checking the API, I found that the reason was simple: tickets with patches available had
isUpgradableset to False, butisFixableset to true.Suggestion: To prevent breaking things for customers depending on the current implementation of
--isUpgradeAvailableOnly, create a second flag (optimally incompatible with each other) called--canAutoPRwhich would pass if any of the fixInfo fields are true - which I believe would cover any issue that can have an automated PR generated by snyk.As far as I can tell, the code to add to is mostly here - but I don't know golang well enough to produce a PR.
https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/jira.go#L247
Json response from https://app.snyk.io/api/v1/org/$ORG_ID/project/$PROJECT_ID/aggregated-issues:
{ "issues": [ { "id": "SNYK-PYTHON-DJANGO-2606969", "issueType": "vuln", "pkgName": "django", "pkgVersions": [ "3.2" ], "priorityScore": 811, "priority": { "score": 811, "factors": [ { "name": "exploitMaturity", "description": "Proof of Concept exploit" }, { "name": "isFixable", "description": "Has a fix available" }, { "name": "cvssScore", "description": "CVSS 9.8" } ] }, "issueData": { "id": "SNYK-PYTHON-DJANGO-2606969", "title": "SQL Injection", "severity": "critical", "url": "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-2606969", "identifiers": { "CVE": [ "CVE-2022-28346" ], "CWE": [ "CWE-89" ] }, "credit": [ "Preston Elder", "Jacob Davis", "Jacob Moore", "Matt Hanson", "David Briggs", "and Danylo Dmytriiev" ], "exploitMaturity": "proof-of-concept", "semver": { "vulnerable": [ "[,2.2.28)", "[3.0,3.2.13)", "[4.0,4.0.4)" ] }, "publicationTime": "2022-04-11T16:03:04Z", "disclosureTime": "2022-04-11T12:17:04Z", "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "cvssScore": 9.8, "cvssDetails": [ { "assigner": "NVD", "severity": "critical", "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvssV3BaseScore": 9.8, "modificationTime": "2022-11-08T01:10:40.472234Z" } ], "language": "python", "patches": [], "nearestFixedInVersion": "", "isMaliciousPackage": false }, "isPatched": false, "isIgnored": false, "fixInfo": { "isUpgradable": false, "isPinnable": true, "isPatchable": false, "isFixable": true, "isPartiallyFixable": true, "nearestFixedInVersion": "", "fixedIn": [ "2.2.28", "3.2.13", "4.0.4" ] }, "links": { "paths": "https://app.snyk.io/api/v1/org/REDACTED/project/REDACTED/history/REDACTED/issue/SNYK-PYTHON-DJANGO-2606969/paths" } } ] }Reproduction steps:
Create a git repo with a single file,
requirements.txtthat has the following contents:Scan the repo with snyk, in an org with jira integration enabled
Try to call this script against that project with the
--isUpgradeAvailableOnlyflag setThe text was updated successfully, but these errors were encountered: