Hi @danielwester,
This would let us explain to customer why other application types (such as standalone apps using oAuth).
Sure, we will link supporting documentation on the DAC page.
Just a bit nitpick here - but why is #10 (" An application must not collect or store credentials belonging to Atlassian user accounts such as user passwords or user API tokens.") under Privacy? Especially since the linked document doesn’t talk about user credentials.
It was added under Privacy due to its impact on unintended access to cross-product (Jira/Confluence/JSM) data. Atlassian API keys are not scoped and allow similar access to product REST APIs that user credentials provide. The link was provided as a reference to general privacy guidelines.
For the Forge scopes - I’m a bit confused. The granular scopes is on hold according to Action required: Update scopes for Forge and OAuth 2.0 (3LO) apps - should those sections be removed?
I understand and apologize for the confusion on this topic in general. Our intent for this requirement is to make sure apps are not asking more than what they need, regardless of what’s made available to them by Atlassian. So when an app just needs read access, it must not ask for write access. Though Forge granular scopes are paused for now, the original intent remains the same i.e. do not ask for scopes that are not needed for its functionality. The timing here is really unfortunate with granular scopes being paused and the security requirements talking about the scope - but the objective holistically is about requesting only required scopes.
Hi @kazimir_io ,
This once more time brings up the question what should we do about Atlaskit libraries that are essential to the apps and are too complex to DIY for vendors, but Atlassian refuses to officially support, eg editor and jql-editor libraries. They have a “high” vulnerability in the dependency tree for over a year now, due to outdated styled-components library dependency.
NPM packages published under the Atlaskit scope are officially maintained and supported by Atlassian. We scan Atlaskit packages (and other Atlassian Frontend packages published to NPM under Atlaskit scope) for vulnerable versions of 3rd party libraries and dependencies on daily basis. We track these vulnerabilities and address them as per our internal priority scores. We are interested in knowing the unpatched “high” severity vulnerability you mentioned and we are happy to address it if you can raise a support ticket with us and provide more details on your finding.