Synchronize Mend SCA security alerts with Azure Work Items
Project description
Integrate Mend SCA with Azure Work Items
A self-hosted tool that creates and updates Azure Work Items based on Mend SCA Issue Tracking policies.
The tool is deployed within an Azure Pipeline triggered on fixed intervals by a cron schedule.
It utilizes Mend's Issue Tracking API to identify the Mend SCA projects that were modified since the last execution, obtain the list of policy matched issues for each of them and create or update the corresponding Work Item.
Table of Contents
- Supported Operating Systems
- Prerequisites
- Planning Your WorkItems Setup
- Azure DevOps Setup
- Mend SCA Setup
- Azure Pipeline Variables
- Custom Field Mapping
Supported Operating Systems
- Linux: CentOS, Debian, Ubuntu
- Windows: 10, 2012, 2016
Prerequisites
- Python 3.9+
- Azure DevOps Services instance
- Azure DevOps service user Personal Access Token (PAT) with Read & write permissions for both "Work Items" and the "Project and Team" scopes on any organization where you want to run the integration.
- Azure DevOps service user added to a group with the following permissions in the project: Create tag definition, Manage project properties and View permissions for this node
- The user needs to be added to the team for each area path you wish to create work items for.
- Mend SCA Issue Tracking policies
- Mend SCA service user with associated with a role assignment of either Organization Administrator or Organization Auditor
Planning your Work Items Setup
The Mend Work Items integration has the flexibility for creating work items with granularity. Before setting up the integration, make sure you have a clear understanding of which projects and/or products should have work items created. The below list specifies where you should place the mend-azure-wi-sync.yml
file in step 2 below for proper implementation
- If only a single repository should have work items created, then add the example pipeline file to the specific repository where you want workitems created. In this type of implementation, you want to make sure that
MEND_PROJECTTOKEN
is set appropriately - If a full project, or more than one repository inside of a project need Work Items created, then create a new repository where the pipeline file will live. In this type of implementation, you can use a combination of
MEND_PRODUCTTOKEN
andMEND_EXCLUDETOKEN
to exclude certain projects inside of a product - If your full Mend organization needs work-items created, then it is recommended to create a separate repository for the pipeline. In this type of implementation, leaving both
MEND_PRODUCTTOKEN
andMEND_PROJECTTOKEN
empty, and usingMEND_EXCLUDETOKEN
to exclude projects where needed is advised
See Azure Pipeline Variables for details.
Azure DevOps Setup
- Create a Personal Access Token (PAT) with Read & write permissions for the Work Items scope and Project and Team scope
- Create a new Azure pipeline from the example file examples/mend-azure-wi-sync.yml
- Make sure the user you created the PAT for has the following permissions in each repository where workitems are needed: Create tag definition, Manage project properties and View permissions for this node
- Set up the appropriate environment variables/secrets for the pipeline. The minimum requirements for these variables are:
MEND_URL
,MEND_USERKEY
,MEND_APIKEY
,MEND_AZUREPAT
, andMEND_RESET
. We recommend also settingMEND_PRODUCTTOKEN
,MEND_PROJECTTOKEN
, and/orMEND_EXCLUDETOKEN
as detailed above. TheMEND_RESET
variable should be configured to allow users to override its value - For your first scan, the integration requires
MEND_RESET
to be true for initial workitem creation. For all other scans, this variable can be set to false
Mend SCA Setup
Set up a policy with Issue action for each use case you wish a Work Item to be created for.
The naming convention should include, other than a self explanatory description of what the policy does, a square-bracketed prefix, either [License]
or [Security]
.
NOTE: Refer to the Mend SCA documentation for detailed instructions on how to create new policies.
For best practices concerning desigining your policy scheme, refer to Best Practices for Mend SCA Policies
Azure Pipeline Variables
The following variables can be placed into the pipeline where the integration is run, to configure its behavior:
Variable | Type | Required | Default | Description |
---|---|---|---|---|
MEND_URL |
string | Yes | N/A | Mend server URL |
MEND_USERKEY |
secret | Yes | N/A | Your Mend User Key |
MEND_APIKEY |
secret | Yes | N/A | Mend Organization API Key |
MEND_AZUREPAT |
secret | Yes | N/A | Azure DevOps Personal Access Token |
MEND_AZUREURI |
string | Yes | N/A | Azure DevOps organization URI (e.g. https://dev.azure.com/MyOrganization ). Accepts the system variable $(System.CollectionUri) |
MEND_AZUREPROJECT |
string | Yes | N/A | Azure Team Project name. Accepts the system variable $(System.TeamProject) |
MEND_PRODUCTTOKEN |
string | No | Empty String (Include all products) |
Comma-separated list of Mend Product Tokens that should be monitored for changes. |
MEND_PROJECTTOKEN |
string | No | Empty String (Include all projects) |
Comma-separated list of Mend Project Tokens that should be monitored for changes. |
MEND_EXCLUDETOKEN |
string | No | Empty String (No exclusions) |
Comma-separated list of Mend Project Tokens that should not be monitored. |
MEND_AZUREAREA |
string | No | $MEND_AZUREPROJECT |
Area Path to group created Work Items under. For example: TeamProject\Area1\SubArea2 or Area1\SubArea2 . Use double-backslashes when specifying sub-areas. |
MEND_AZURETYPE |
string | No | Task | Work Item type for creating new Work Items. Must be one of the built-in or custom types that are available for the project's process. (Basic, Agile, Scrum, etc.) associated with the specified Team Project in the MEND_AZUREPROJECT variable. |
MEND_RESET |
boolean | No | false |
Whether to force Work Item creation for a Mend Projects' full history (rather than just the diff since the last run). Creates work items for the diff when set to false . |
MEND_CUSTOMFIELDS |
string | No* | Empty String (No custom fields) |
Used for mapping additional information from Mend's Issue Policy objects into custom fields of the specified Work Item type ($MEND_AZURETYPE ). See Custom Work Item Types below for syntax guidelines. This variable is required when using custom Work Item types. |
MEND_REPONAME |
string | No* | <Name of Repository> Do not change |
The field contains Repo Name which can be used as value for any Custom field according Custom Fields syntax. See Custom Work Item Types below for syntax guidelines ($MEND_REPONAME ). |
MEND_DEPENDENCY |
boolean | No* | True | Specify whether to create work items based on the dependency (value: True) or based on the CVE (value: False). Typically creates more work items if set to false . |
MEND_DESCRIPTION |
string | No* | <Dependency Information> Do not change |
Used for storing base information about violations and vulnerabilities in specific custom field. See Custom Work Item Types below for syntax guidelines. |
MEND_CALCULATEPRIORITY |
boolean | No* | False | Priority will be calculated according to Mend’s severity (CSS3) value if the value is equal to True. If not, it will be set to 2 (default priority). |
MEND_ALERT |
boolean | No* | True | Whether to include ignored vulnerabilities. Set to false for exclude ignored vulnerabilities. |
NOTE:
azure-wi-sync
would accept all environment variables with eitherMEND_
orWS_
prefix.
Execution
The recommended way to implement this integration, is by having the pipeline run on a cron schedule. We recommend that the cron schedule run on a daily basis, or by your desired frequency. This is demonstrated in the example pipeline file.
schedules:
- cron: "0 */1 * * *"
displayName: Mend SCA Sync Scheduler
branches:
include:
- main
always: true
When the configured pipeline is executed, the integration fetches all the Issue policy matches that were created since the last execution.
Custom Field Mapping
When specifying a custom Work Item type with $MEND_AZURETYPE
, the integration will utilize the Azure API to automatically obtain its definition.
The "issues": []
objects returned by the fetchProjectPolicyIssues API response will be used to populate the corresponding Work Item fields. However, you can choose to use the MEND_CUSTOMFIELDS
variable to populate additional information into any custom fields of that Work Item, if its type has any of those.
Setting the Custom Fields Variable
The MEND_CUSTOMFIELDS
variable accepts a string that is a semi-colon separated list of key-value pairs in the format of FieldName::StaticValue
or FieldName::MEND:MappedValue
. More than one mapped value can be placed into a custom field by concatenating them with "&" like: CustomField:MEND:MappedValue&MEND:MappedValue
The field name directly corresponds to the "name" property data returned in the API "WorkItemTypeFieldInstance", whereas the mapped value directly corresponds to the API Response for Mend's "fetchProjectPolicyIssues". Please refer to the response example in the API documentation for an example of what you can parse, or you can run the API itself to get real data.
NOTE: If the definition of the specified Work Item type (
$MEND_AZURETYPE
) includes any fields that are set up as mandatory ("alwaysRequired": true
), you must also useMEND_CUSTOMFIELDS
to map values to those fields.
Guidelines
- The value of
MEND_CUSTOMFIELDS
should be a quoted string (single or double quotes) - The string should contain all the desired
Key::Value
mapping pairs, separated by semicolons (;
) - The
Key
of each pair should be the name of the Work Item field (thename
property, AKA "friendly name". See WorkItemTypeFieldInstance for details) - The value can contain a dot-separated JSON path of the desired property from the
fetchProjectPolicyIssues
response, prefixed by the namespaceMEND:
(case sensitive) - The process iterates through the objects under the
"issues": []
array of thefetchProjectPolicyIssues
response, so anyMEND:
values must be from under that object. Values cannot include JSON paths for other properties from outside"issues": []
- The value can also contain custom text, either dynamic (using pipeline variables) or static
- The value can combine multiple parts, both
MEND:
proeprties and/or free text. Parts should be delimited by an ampersand (&
) - If you plan to use the
MEND_REPONAME
orMEND_DESCRIPTION
variables then you can add this to a custom field with$MEND_REPONAME
or$MEND_DESCRIPTION
Syntax
env:
...
MEND_AZURETYPE: 'SCA Issue'
MEND_CUSTOMFIELDS: 'Field 1::MEND:path.to.property1;Field 2::MEND:property2& Free Text &MEND:property3;Field 4::$MEND_REPONAME'
Examples
All the following examples assume a custom Work Item type named SCA Issue, which was configured to inherit fields from the Bug Work Item of the Agile process flow.
Example 1
Populating the Work Item's custom fields Issue Type and Issue Reference with the vulnerability's type and identifier (name):
env:
...
MEND_AZURETYPE: 'SCA Issue'
MEND_CUSTOMFIELDS: 'Issue Type::MEND:policyViolations.vulnerability.type;Issue Reference::MEND:policyViolations.vulnerability.name'
Example 2
Populating the Work Item's custom field Team Comments with the initial text:
Mend policy name: POLICY_NAME (scope: POLICY_SCOPE)
env:
...
MEND_AZURETYPE: 'SCA Issue'
MEND_CUSTOMFIELDS: 'Team Comments::Mend policy name: &MEND:policy.name& (scope: &MEND:policy.policyContext&)'
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file mend_azure_wi_sync-23.7.1.4-py3-none-any.whl
.
File metadata
- Download URL: mend_azure_wi_sync-23.7.1.4-py3-none-any.whl
- Upload date:
- Size: 25.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c0a83f9d89306094ebe5433b34437fc1d125d890c710513d8eea149a4bc9d040 |
|
MD5 | 51be1610c7005503ad3bb4737bd5962b |
|
BLAKE2b-256 | 5bd546824fedca50c3e3ec594339f2baf80588b4fe1e5e56a1fd34725ad20873 |