Issue Assignment

Issues can be manually assigned to issue managers after reviewing vulnerabilities and automatically as soon as the scans or imports are completed. When the checkbox at the top of the screen is checked, users must make two selections.

The first selection relates to the issue manager used in the project (needs to be activated under the Integrations section), and the second selection defines the path where the issues will be opened. It is possible to use a different issue manager for AppSec and infrastructure vulnerabilities in the project.

In the Validation Scan step, the user can opt for performing automated validation scans once the issue is marked as closed on the issue manager to ensure that the vulnerability has been fixed.

There are two options to choose from, which are ;

  • Run a validation scan each time an issue is closed.
  • Run a validation scan at a specific time each day depending on whether one or more issues have been closed in the last 24 hours.

This configuration is sufficient if issues will be directed to the issue manager after a manual review. To open issues automatically based on specific criteria both of the following steps need to be filled.

The first step relates to the assignee to whom the issues will be assigned to the issue manager.

When the "Committer when the committer is known." box is checked, Kondukto will first try to assign issues to the committer found on the software development platform. If the attempt fails, the issue will be assigned to the user, which is specified in the field below.

The "Specific user" field indicates the user to which issue will be assigned when the committer of the vulnerability is unknown (which is the case for all findings other than SAST and IaC findings). The user needs to be a Kondukto member to appear in the drop-down menu.

Suppose an issue can't be assigned to the committer or a specific user. In that case, Kondukto will try to assign the issue to the issue responsible selected for the team working on the project. For cases where none of the above is applicable, Kondukto will assign the issue to the token owner generated on the issue manager.

In the second mandatory step to open issues automatically, specific criteria can be created to pinpoint the type of vulnerabilities for which issues will be made.

A new modal opens when the "+Add Custom Criteria" button is clicked.

Criteria can be set using OWASP Top-10, PCI Requirement or Stride Threat Modeling categories, Severity level, CWE names, or ID. It is possible to set combined conditions using AND/OR statements. Issue criteria apply to both AppSec and Infra vulnerabilities. However, specific criteria like OWASP Top-10 or CWE are more AppSec oriented and will not apply to most Infra vulnerabilities that lack this information.

In the example below, issues will be opened for vulnerabilities discovered in the development branch that falls into OWASP A1 or A2 categories with high and critical severity.

1937

Project Settings - Issue Criteria

When the Save button at the lower right section of the modal is clicked, the modal closes and the issue criteria entered can be seen in the table. Presets entered at a global level can also be added to the project by clicking the Import Global Preset button.

Issue Assignment Hierarchy

Certain users can be assigned as issue responsible within the teams. When a team is assigned to a project, the issues are automatically assigned to this issue responsible based on the issue assignment criteria entered on the platform.

If the committer when committer is known box is checked under the Issue Assignment section in Project Settings, this will supersede all other users for vulnerabilities with a known committer.

If a specific user is also selected under the Issue Assignment section in Project Settings, this specific user supersedes the issue responsible for the team.

So the hierarchy is as follows for cases when all three are selected;

  1. Committer of the vulnerability
  2. The specific user selected under Project Settings
  3. Issue responsible selected in the team

For cases when none of the above is applicable, Kondukto will assign the issue to the token owner generated on the issue manager.