We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example?
Mmm. Did your security firm mention other things in Jira that might be a risk?
If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)
Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)
This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.
That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application. /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.
I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.
Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.
What, actually, is the problem? Where do your security people think there is a security issue? What does "they identify script runner as a security issue" really mean?
Try the five whys - "why is SR a security issue?". What are the responses to the next four "why?" questions?
Atlas Camp is our developer event which will take place in Barcelona, Spain from the 6th -7th of September . This is a great opportunity to meet other developers and get n...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG