Ensuring security of the written code is a very important factor in terms of DevSecOps.
Sonarqube is one of the most widely used code scanning tools. The findings from Sonarqube need to be integrated with products like Jira in order to be best managed by the team.
In this article, we will explain how Sonarqube issues can be automatically created as Jira issues with labels like bug, vulnerability and code smell. We wrote a middleware with Python utilizing Sonarqube Web API and Jira Cloud REST API.
Our overall algorithm is as follows:
Fetch active issues from Sonarqube
Fetch active issues from Jira
Check if Sonarqube issue is already created in Jira
If so, update Jira issue.
Otherwise, create a new Jira issue
Get All Issues From Sonarqube
We use GET request to the endpoint /api/issues/search for retrieving all issues from Sonarqube. It will return json data, so we’ll parse that to use.
Check and Create Jira Issues
We need to define which fields we want to get from the returned json data and transfer them to Jira. Also, our script checks whether the Sonarqube issue has already created in Jira.
Post Issues to Jira
We used following Jira Rest API endpoint to create issues:
To access Jira projects, you need to create authentication token. You need to send it with every request. In the script, we used HTTP Basic Authentication. You may also need to give appropriate permission for the user you create token from (i.e. permission to manage issues).
To save name of external issuer (Sonarqube) and ID of external issue, we created two custom fields in our Jira project. In Jira API’s response Json, there are multiple key names starting with “customfield”, so we needed to figure out which of those correspond to our Sonarqube related fields (here custom_field10058 and custom_field10056).
After matching with the appropriate parts for Jira API structure, we are now able to create Sonarqube issues in Jira project.