Hi All,
I’ve been trying to talk to the https://developer.atlassian.com/cloud/jira/software/rest/api-group-security-information/#api-group-security-information API.
I’ve created a simple Atlassian Connect app that I have registered into the Jira cloud. I have specified the “jiraSecurityInfoProvider”.
"modules": {
"jiraSecurityInfoProvider": {
"homeUrl": "<baseUrl>",
"key": "vulnerability-connect-test",
"name": {
"value": "Vulnerability Connect"
},
"actions": {
"fetchWorkspaces": {
"templateUrl": "<baseUrl>/workspaces"
},
"fetchContainers": {
"templateUrl": "<baseUrl>/containers"
},
"searchContainers": {
"templateUrl": "<baseUrl>/containers/search"
}
}
}
}
I have gotten the metadata from the install webhook. That contains the clientKey and sharedSecret.
I’ve been trying to use the atlassian-jwt-js library (NPM atlassian-jwt). The POST payload for the /rest/security/1.0/bulk
is a JSON blob that contains nested objects and an object array. For a payload example, see “POST Submit Vulnerability data” on that previously mentioned API reference.
I’ve been using the jwt.fromMethodAndPathAndBody
function. This looks to be working fine.
The function I’ve been having issues with the jwt.createQueryStringHash
function. In the function call stack, you end up in a function canonicalizeQueryString
. Passing the output from jwt.fromMethodAndPathAndBody
into the first parameter and true
into the second parameter, in theory, it’s meant to work.
I’ve identified that during the for loop, it doesn’t handle objects or object arrays correctly, which is what that payload has. I believe I’ve fixed those by directly changing the code in the node module. Currently, I’ve got it set to object arrays, grab all the keys from the object, sort them, encode in RFC9686 and join on comma. The object works the same way.
I’m stuck here. I’m still getting 401s on my request, so I don’t know if something else is wrong or if this QSH is incorrect. In the documentation for the Query String Hash (developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#creating-a-query-string-hash), in step 5, Compute canonical query string, there’s mention of “Include all the post data in payload if it is a POST request.” This seems ambiguous to me.
Can someone explain to me how the nested objects and object arrays should be handled? As the JS library the values end up as [Object object]
before the hashing.
Does anyone have an example of using the security information API, so that I can use it as a reference?
Am I using the correct API or is there a different API I should be using>
If you have any other ideas, I’ve come to a bit of a loss now.
Cheers,
Sam