Sync vulnerability findings to Jira with SLA tracking and dedupe

Verified steps

1. Authenticate to the Jira Cloud REST API using an API token (generated at id.atlassian.com) with HTTP Basic auth (user email + token) or OAuth 2.0; use the base URL https://{your-domain}.atlassian.net/rest/api/3/.
2. Before creating a ticket, search for an existing issue with the same vulnerability fingerprint (CVE ID + asset ID) using POST /rest/api/3/issue/picker or GET /rest/api/3/search with a JQL query such as project={PROJECT} AND labels={CVE-ID} AND labels={ASSET-ID} AND statusCategory != Done to prevent duplicates.
3. Create a new issue with POST /rest/api/3/issue if no duplicate is found; populate summary, description (vuln title, CVE, CVSS score, affected asset, remediation guidance), labels (CVE ID, asset ID, severity), priority, and a due date calculated from an SLA policy (e.g., Critical: 7 days, High: 30 days).
4. Store the Jira issue key (e.g., SEC-1234) back in your vulnerability management system against the finding, to enable bidirectional status sync and prevent re-creation on subsequent pipeline runs.
5. Implement a daily sync job that queries your vulnerability scanner for findings whose status changed to Fixed, then transitions the corresponding Jira issue to Done via POST /rest/api/3/issue/{issueId}/transitions using the correct transition ID obtained from GET /rest/api/3/issue/{issueId}/transitions.