Trust & Security

Business Sign-off for Jira Data Center

Cahaba Forge is committed to building software that meets the security and compliance expectations of enterprise organizations. This page summarizes our security practices, testing results, and dependency posture for Business Sign-off for Jira Data Center.

Static Analysis

Every release is scanned with SonarQube (Community Edition, LTS) for vulnerabilities, bugs, code smells, and security hotspots. Our current results:

A Security Rating
A Reliability Rating
A Maintainability
  • 0 open vulnerabilities
  • 0 open bugs
  • 0 security hotspots

Full SonarQube scan reports are available upon request during procurement or security review.

Third-Party Dependencies

Business Sign-off is designed for minimal dependency footprint. At compile time, the plugin bundles only one third-party library:

Library Version License Purpose
Apache Commons CSV 1.10.0 Apache 2.0 Audit history CSV export

All other dependencies (Jira platform APIs, ActiveObjects, SAL, etc.) are provided by the Jira runtime and are not bundled with the plugin.

Secure Development Practices

  • XSS prevention — all user input is HTML-encoded before rendering in templates
  • CSRF protection — all state-changing operations require valid tokens
  • SQL injection prevention — ActiveObjects with parameterized queries; no raw SQL concatenation
  • Permission enforcement — every REST endpoint and service method validates user permissions before execution
  • Cluster safety — distributed locking, shared storage, and node-local synchronization for Data Center deployments
  • No sensitive data logging — passwords, tokens, and PII are never written to log files

Testing

The plugin maintains comprehensive automated test coverage:

  • 1,540+ unit tests covering services, REST endpoints, listeners, workflow functions, and custom fields
  • Permission checks, edge cases, and error conditions tested for every public method
  • JaCoCo code coverage integrated with SonarQube analysis

Data Handling

  • All plugin data is stored in Jira's database via ActiveObjects — no external services or data transfers
  • Data remains within your Jira instance and under your organization's control
  • Complete audit trail of all approval actions with timestamps and user attribution
  • Automatic cleanup of plugin data when issues or projects are deleted

Request a Full Report

If your organization requires detailed security documentation as part of a procurement or compliance review, we are happy to provide:

  • Full SonarQube scan report (PDF)
  • Dependency bill of materials (BOM)
  • Architecture and data flow overview
  • Responses to security questionnaires

Contact us at security@cahabaforge.com or through our contact page.

← Back to Documentation