If you use Jira to manage your projects, you can set up an integration with Burp Suite Enterprise Edition. Once configured, this enables you to create Jira tickets directly from the results of a scan. Integration with both cloud-based and server-based Jira installations is supported.
Note: If your Jira server is configured to use HTTPS, you need to make sure that it has a CA-signed certificate. Burp Suite Enterprise Edition does not currently support integration using self-signed certificates.
If you want to integrate a cloud-based Jira installation, you first need to create a Jira API token. This is used to authenticate communication with Jira. If you use a server-based Jira installation, you can skip this step.
To enable the Jira integration, you first need to configure some basic settings so that the Enterprise server and Jira can communicate. You also specify the Jira projects for which tickets can be created.
On the "Jira integration" settings page, under "Automatic ticket creation", you can choose whether you want Burp to automatically create Jira tickets for issues it has not seen before. You can choose which severity and confidence levels trigger automatic ticket creation. By default, tickets will be automatically created for new issues with a high severity and certain confidence level.
In the scan delta settings, which you can adjust on the Sites and scan data page, you can also configure what scans count as a new issue for this purpose. By default, this will be based only on the site and issue type. This means, for example, that if an SQL-injection issue has already been reported for a site, then Burp Suite Enterprise Edition will not create a ticket for any subsequent SQL-injection issues found anywhere on the site. However, you can adjust the settings so that scans also consider the URL when determining what counts as a new issue. In the example above, this would mean that even if an SQL-injection issue had already been found for the site, a separate Jira ticket would be created if another SQL-injection issue was found at a different URL.
Note: Please keep in mind that even tickets that were created automatically by Burp Suite Enterprise Edition will need to be processed manually in Jira. We recommend being conservative with automatic ticket creation until you have a better understanding of how many tickets will be generated. Otherwise, you might unintentionally clutter your Jira backlog with an overwhelming number of tickets.
Once you have configured the integration with Jira, users can manually create tickets for issues, or link an issue to an existing ticket, directly from the scan results. You can link an issue to multiple Jira tickets.
A ticket containing a link to the issue and some basic information about it is added to the Jira project backlog. In Jira, you can now assign the issue to a sprint or other project workflow as you would any other ticket. In Burp Suite Enterprise Edition, the issue now contains a "Linked Jira ticket" tab, where you can choose to unlink the ticket. However, please be aware that when you unlink a ticket from an issue, the ticket still exists in Jira and must be closed manually.
Note: The HTTP requests and responses for issues are currently not included automatically in the Jira ticket. Although a link to the issue is provided, if the developer assigned to investigate the issue does not have access to a Burp Suite Enterprise Edition account, you may need to download the HTML report and attach it to the Jira ticket manually.