We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example?
Mmm. Did your security firm mention other things in Jira that might be a risk?
If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)
Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)
This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.
That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application. /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.
I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.
Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.
What, actually, is the problem? Where do your security people think there is a security issue? What does "they identify script runner as a security issue" really mean?
Try the five whys - "why is SR a security issue?". What are the responses to the next four "why?" questions?
Hi all! My name is Miles and I work on the Marketplace team. We’re looking for better ways to recommend and suggest apps that are truly crowd favorites, so of course we wanted to poll the Community. ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs