github-security-jira icon indicating copy to clipboard operation
github-security-jira copied to clipboard
verified publisher icon reload

Disable restricted comments in Jira

Open zswanson opened this issue 4 years ago • 8 comments

I'm getting the following error from reload/[email protected] (latest release) I am correctly setting the env var as described in the README but I'm observing the error even if I ommit the env var or if I specify any value for a valid group that the jira api token and user belongs to. The action is creating a ticket when it runs, it just fails on trying to add the restricted comment. I don't actually need or care about this comment, but I get the same output even if I remove the variable.

Run reload/[email protected]
  env:
    GH_SECURITY_TOKEN: ***
    JIRA_TOKEN: ***
    JIRA_HOST: https://JIRA_URL/
    JIRA_USER: JIRA_USERNAME
    JIRA_PROJECT: ABC
    JIRA_ISSUE_TYPE: Bug
    JIRA_RESTRICTED_COMMENT_ROLE: JIRA_ROLE

In JiraClient.php line 264:
                                                                               
  CURL HTTP Request Failed: Status Code : 400, URL:https://telemedicine.atlas  
  sian.net//rest/api/2/issue/VCB-3440/comment                                  
  Error Message : {"errorMessages":[],"errors":{"commentLevel":"You are curre  
  ntly not a member of the project role: Developers."}}

zswanson avatar May 01 '21 14:05 zswanson

I fixed it with: JIRA_RESTRICTED_COMMENT_ROLE: "*"

Anton-Shutik avatar Aug 13 '21 11:08 Anton-Shutik

I fixed it with: JIRA_RESTRICTED_COMMENT_ROLE: "*"

it is not working for me 😞

Error Message : {"errorMessages":[],"errors":{"commentLevel":"Role with id:    * does not exist."}}

matteobaldelli avatar Sep 14 '22 09:09 matteobaldelli

Could we have an option to not comment at all?

HarlemSquirrel avatar Dec 21 '22 15:12 HarlemSquirrel

Could we have an option to not comment at all?

Must be implemented in https://github.com/reload/jira-security-issue first.

arnested avatar Feb 17 '23 14:02 arnested

Can you please share any timeline when this can be implemented and fixed? I am also getting the same issue as @zswanson mentioned.

CRUZEAAKASH avatar Apr 18 '23 05:04 CRUZEAAKASH

@CRUZEAAKASH Not really. It depends on it being enough of an itch for someone to make a PR implementing JIRA_NO_COMMENT option in https://github.com/reload/jira-security-issue .

xendk avatar Apr 18 '23 08:04 xendk

Basically it looks like we could put a condition around these lines based on a new environment variable.

https://github.com/reload/jira-security-issue/blob/50fb0512ea089cb4cc8b1f4272817b898697489e/src/JiraSecurityIssue.php#L248-L250

HarlemSquirrel avatar Apr 18 '23 13:04 HarlemSquirrel

@HarlemSquirrel That's the gist of it. But the comment is also used to notify about watchers not being found, which is an error condition we'd rather like to notify somebody about.

The only viable alternative to using a comment for that is making the action fail on unfound watchers, but that might be a bit heavy handed @arnested ?

xendk avatar Apr 19 '23 06:04 xendk