Trust & Security for Business Sign-off for Jira Data Center

Security and evaluation details for the self-hosted Jira version

Effective Date: March 31, 2026
Last Updated: March 31, 2026
Vendor: Cahaba Forge LLC

Cahaba Forge is committed to building software that meets the security and compliance expectations of enterprise organizations. This page summarizes our security practices, testing results, and dependency posture for Business Sign-off for Jira Data Center. If you are evaluating Jira Cloud instead, use the Cloud trust and security page for the primary product direction.

Static Analysis

Every release is scanned with SonarQube (Community Edition) for vulnerabilities, bugs, code smells, and security hotspots.

Current Ratings

A Security Rating
A Reliability Rating
A Maintainability
A Security Hotspots

Key Metrics

Metric Value
Code coverage (combined) 80.5%
Line coverage 82.9%
Branch coverage 74.9%
Open vulnerabilities 0
Open bugs 0
Security hotspots 0
Lines of code ~18,000

Full SonarQube scan reports are available upon request during procurement or security review.

Automated Security Scanning

Each release candidate is validated through a multi-phase verification pipeline that includes the following security-focused scans:

Scan Tool Purpose
Static Analysis (SAST) SonarQube Identifies vulnerabilities, bugs, code smells, and security hotspots in source code
SAST Rules Semgrep Additional static analysis with Java, OWASP, and security-audit rulesets
Dependency Vulnerabilities OWASP Dependency-Check Scans all third-party dependencies against the National Vulnerability Database (NVD) for known CVEs
Secrets Detection Gitleaks Scans the full git history for accidentally committed secrets, tokens, and credentials
Dynamic Analysis (DAST) OWASP ZAP Baseline scan of deployed plugin endpoints for runtime vulnerabilities (XSS, injection, header issues)

Third-Party Dependencies

Business Sign-off is designed for a minimal dependency footprint. At compile time, the plugin bundles only one third-party library:

Library Version License Purpose
Apache Commons CSV 1.14.1 Apache 2.0 Audit history CSV export

All other dependencies (Jira platform APIs, ActiveObjects, SAL, etc.) are provided by the Jira runtime and are not bundled with the plugin.

Secure Development Practices

  • XSS prevention — all user input is HTML-encoded before rendering in templates. Encoding is applied at the appropriate layer depending on template context (Java context providers for web panels, $textutils.htmlEncode() for servlets and custom fields).
  • CSRF protection — all state-changing operations (POST, PUT, DELETE) require valid XSRF tokens. REST endpoints use @Consumes(MediaType.APPLICATION_JSON) for implicit CSRF protection.
  • SQL injection prevention — ActiveObjects with parameterized queries; no raw SQL or JQL string concatenation. JQL queries use JqlQueryBuilder with proper escaping.
  • Input validation — all REST endpoints and servlets validate path parameters, query parameters, and request bodies. A shared InputValidator utility enforces length limits, type constraints, and format validation.
  • Permission enforcement — every REST endpoint and service method validates user permissions before execution. Both global permissions (Jira Admin, System Admin) and project-level permissions (Project Admin, Browse Projects) are checked.
  • Cluster safety — distributed locking via ClusterLockService, shared storage via JiraHome.getHome(), and node-local synchronization for Data Center deployments.
  • No sensitive data logging — passwords, tokens, and PII are never written to log files. SLF4J parameterized logging is used exclusively.
  • Separation of Duties (SoD) — configurable controls prevent issue reporters and/or assignees from approving their own issues.

Testing

The plugin maintains comprehensive automated test coverage across three tiers:

Unit Tests

  • 2,350+ unit tests covering services, REST endpoints, listeners, workflow functions, custom fields, and security scenarios
  • Permission checks, edge cases, and error conditions tested for every public method
  • JaCoCo code coverage integrated with SonarQube analysis (80.5% combined coverage)

REST API End-to-End Tests

  • 95 integration tests exercising all REST endpoints against a running Jira instance
  • Tests cover the full approval lifecycle, configuration management, audit history, notification workflows, and error handling
  • Validates authentication, authorization, and input validation for every endpoint

UI Tests (Playwright)

  • 75 browser-based tests validating the user interface across all screens
  • Tests cover the signoff panel, global configuration, project configuration, approval workflows, and dashboard gadgets
  • Runs headless against a deployed Jira instance with automated user/project provisioning

Data Handling

  • All plugin data is stored in Jira's database via ActiveObjects — no external services or data transfers
  • Data remains within your Jira instance and under your organization's control
  • Complete audit trail of all approval actions with timestamps, user attribution, and SHA-256 record hashes for tamper detection
  • Automatic cleanup of plugin data when issues or projects are deleted
  • Audit history export to CSV with UTF-8 encoding and configurable date ranges

For full details on data storage, see our Privacy Policy.

Request a Full Report

If your organization requires detailed security documentation as part of a procurement or compliance review, we are happy to provide:

  • Full SonarQube scan report (PDF)
  • OWASP Dependency-Check report (HTML/JSON)
  • Dependency bill of materials (BOM)
  • Architecture and data flow overview
  • Responses to security questionnaires

Contact us at security@cahabaforge.com or through our contact page.

← Back to Documentation