• Released 01 May 2018.


This update fixes a serious security vulnerability in ScriptRunner for Jira discovered during an internal review. We strongly recommend all customers apply this update at their earliest opportunity. Further details will be released in the coming weeks as part of Adaptavist’s responsible disclosure approach.

All versions of ScriptRunner for Jira from 4.0.0 are affected. Below are instructions on which version we recommend you upgrade to:

  • If you have Jira 7.2 or above, upgrade to 5.3.26

  • If you have Jira 7.0 or 7.1, upgrade to

  • If you have Jira 6.4, upgrade to

  • If you have Jira 6.3.10 to Jira 6.3.15 inclusive, upgrade to

  • If you have Jira 6.3.0 to 6.3.9 inclusive, upgrade to


  • Released 20 April 2018.

Bug Fixes

  • [SRJIRA-2811] - Removed dialog2 dependency makes some Jira screens inaccessible


  • Released 16 April 2018. 
  • Compatible with Jira 7.9.x

Bug Fixes

  • [SRJIRA-2797] - ScriptRunner compatible with Jira 7.9.0 and SD 3.12.0
  • [SRJIRA-2538] - AddedAfterSprintStarts exception with filter subscription
  • [SRJIRA-2670] - Running post-functions as a renamed user throws exception
  • [SRJIRA-2753] - addedAfterSprintStart uses http context
  • [SRJIRA-2754] - Exclude post function conditions from audit logging to stop swamping the audit log
  • [SRJIRA-2786] - Remove audit logging from script field


  • Released 16 March 2018.

New Features

ScriptRunner audit Logging Service 

As a Jira administrator you can now inspect script configuration changes from Jira audit. For more information check Audit Logging.

Test Management for Jira Integration

As a Jira administrator you can now run ScriptRunner scripts that interact with Test Management for Jira. For more information check Test Management for Jira.

Bug Fixes

  • [SRPLAT-261] - ScriptRunner custom REST endpoints in Data Center only setup on one node
  • [SRPLAT-24] - Log built in scripts actions
  • [SRJIRA-2739] - Change name of "Execute a ScriptRunner script" module
  • [SRJIRA-2606] - Package required for built-in scripts is wrong in docs
  • [SRJIRA-2607] - Copy Project errors when deleted user is member of project role
  • [SRJIRA-2674] - ScriptRunner Version synchroniser
  • [SRJIRA-2693] - Reporter field is not copied via the "Clone an issue, and links" listener
  • [SRJIRA-2705] - Display error when first creating a Scripted Field with Custom Template
  • [SRJIRA-2708] - Custom REST Endpoint : trows NullPointerException with DELETE method
  • [SRJIRA-2721] - More clarification in the UI/docs about the one behaviour per-field rule
  • [SRJIRA-2723] - Fix broken example on Service Desk blog
  • [SRJIRA-2727] - Canned responses in transition window missing
  • [SRJIRA-2732] - Behaviours: cannot ctrl-click range select mappings anymore
  • [SRJIRA-2545] - Add support for CommentLevel to the setFieldOptions method in Behaviours
  • [SRJIRA-2706] - Documentation on maintaining/creating dashboards and gadgets
  • [SRJIRA-2671] - TM4J and SR integration examples documentation


  • Relased 22 Feb 2018.
  • Compatible with Jira 7.8.x


Sample Code for Creating Dashboards

Enterprise Jira users often need to automatically generate dashboards with gadgets, to provide a consistent management-level overview of progress. Check out our code samples to create configured dashboards in response to project or version creation etc.

Bug Fixes

  • [SRJIRA-2606] - Package required for built-in scripts is wrong in docs
  • [SRJIRA-2706] - documentation on maintaining/creating dashboards and gadgets


  • Released 19 Feb 2018.

Bug Fixes

  • [SRJIRA-2676] - Script Fragments for web items were executing twice.
  • [SRJIRA-2683] - Stop older versions of Jira Service Desk from running incompatible features.
  • [SRJIRA-2684] - Fix Behaviours use of guide workflows containing special characters like /, \, #, or %.
  • [SRJIRA-2685] - Fix Behaviours handling of radio buttons for Internet Explorer.


  • Released 14 Feb 2018.

Bug Fixes

  • [SRJIRA-2593] - Behaviour: Server side script does not set form value if there is a Jira validation error in form
  • [SRJIRA-2657] - Behaviour does not hide nFeed fields.
  • [SRJIRA-2658] - Behaviour : Setting form value for radio button is not working
  • [SRJIRA-2660] - Behaviours mapping screen fails if JSD is enabled but unlicensed
  • [SRJIRA-2661] - Diagnostic failure from rest endpoint when content ~ 10M
  • [SRJIRA-2663] - Behaviours on Cascading Select List Blocks Issue Creation
  • [SRJIRA-2675] - Cascading Select List object only corresponds to first selection
  • [SRPLAT-259] - JSD error in logs for other products
  • [SRPLAT-260] - Enabling fragment locator displays error in UI on every page when hovering over locations


  • Released 31 Jan 2018.

5.3.1 addresses issues that arose in 5.3.0 with ScriptRunner and integrations with other Atlassian apps that modify the front-end infrastructure. This release should address these issues, and allow for seamless app compatibility.

We apologize for any inconvenience this might have caused, and thank the ScriptRunner community for their feedback and patience while we resolved this issue.

Bug Fixes

  • [SRJIRA-2638] - Duplicated Escalation services after upgrade to 5.3.0
  • [SRJIRA-2639] - plugin interaction issues due to multiple includes of polypill


  • Released 31 Jan 2018.

New Features

Conditions and additional issue actions script file

You can now put your conditions and additional issue actions in a script file.

Potentially breaking changes

When ScriptRunner is installed the old inline scripts will be converted to support the new schema. This only becomes a problem if you downgrade to a previous ScriptRunner release.

If you do downgrade you should run the following script in Admin → Script Console, before downgrading.

This will only put the current inline script code back. Therefore if you’ve updated the condition or additional issue actions code to use a script file after upgrading then this won’t be preserved when downgrading. You’ll have to manually reenter the code after downgrading. Therefore we recommend you keep the relevant script files under your script root so you can refer back to them.

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.util.json.JSONObject
import com.onresolve.scriptrunner.canned.jira.admin.EscalationService
import com.onresolve.scriptrunner.canned.jira.utils.ConditionUtils
import com.onresolve.scriptrunner.runner.ListenerManager
import com.onresolve.scriptrunner.runner.ListenerManagerImpl

import com.onresolve.scriptrunner.runner.ScriptRunnerImpl
import com.onresolve.scriptrunner.runner.util.OSPropertyPersister
import com.opensymphony.workflow.loader.ConditionDescriptor
import com.opensymphony.workflow.loader.FunctionDescriptor
import com.opensymphony.workflow.loader.ValidatorDescriptor

import java.util.regex.Pattern

// convert listeners
def listenerManager = ScriptRunnerImpl.getPluginComponent(ListenerManager)

def listeners = OSPropertyPersister.loadList(ListenerManagerImpl.CONFIG_LISTENERS) as List<Map>

listeners.each { listener ->
    convertScript(listener, ConditionUtils.FIELD_CONDITION)
    convertScript(listener, ConditionUtils.FIELD_ADDITIONAL_SCRIPT)

OSPropertyPersister.save(listeners, ListenerManagerImpl.CONFIG_LISTENERS)


// convert escalation service
def escalationService = new EscalationService()
def escalationServiceConfig = escalationService.getConfig()

escalationServiceConfig["rows"].each { service ->
    convertScript(service, ConditionUtils.FIELD_ADDITIONAL_SCRIPT)

escalationService.saveConfig(new JSONObject(escalationServiceConfig))

// convert workflow functions
def workflowManager = ComponentAccessor.getWorkflowManager()
def user = ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()

String BASE_64_CANARY = "`!`"
String BASE_64_REGEX = Pattern.compile('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$')

def decodeBase64EncodedString = { String str ->
    if (str ==~ BASE_64_REGEX) {
        def decoded = new String(str.decodeBase64())
        if (decoded.startsWith(BASE_64_CANARY)) {
            return decoded.substring(BASE_64_CANARY.size())
    return str

def rewriteScripts = { Map functionArgs ->
    functionArgs.each { arg ->
        if (arg.key in [ConditionUtils.FIELD_CONDITION, ConditionUtils.FIELD_ADDITIONAL_SCRIPT] && arg.value) {
            def script = decodeBase64EncodedString(arg.value)

            def inlineScript = script.tokenize("|||")[0]

            def base64encoded = (BASE_64_CANARY + inlineScript).bytes.encodeBase64().toString()

            arg.value = base64encoded

workflowManager.getActiveWorkflows().each { workflow ->

    def draftWorkflow = workflowManager.getDraftWorkflow(workflow.name)
    if (draftWorkflow) {
        log.warn("A draft existed, for $workflow.name it's being taken over")
    } else {
        draftWorkflow = workflowManager.createDraftWorkflow(user, workflow.name)

    draftWorkflow.getAllActions().each { action ->

        def postFunctions = action.getUnconditionalResult().getPostFunctions()

        postFunctions.each { FunctionDescriptor postFunction ->

        def validators = action.getUnconditionalResult().getValidators()

        validators.each { ValidatorDescriptor validator ->

        def conditionDescriptor = action.getRestriction()?.getConditionsDescriptor()

        conditionDescriptor?.conditions.each { ConditionDescriptor condition ->

    workflowManager.updateWorkflow(user, draftWorkflow)
    workflowManager.overwriteActiveWorkflow(user, workflow.name)

void convertScript(Map<String, Object> param, String fieldName) {
    if (param.containsKey(fieldName) && param[fieldName] && param[fieldName] instanceof List) {
        def scripts = param[fieldName]

        def inlineScript = scripts[0]

        param[fieldName] = inlineScript ?: null

Behaviours for Jira Service Desk

You can now apply behaviours to the customer portal. Things like help text, requiredness etc, follow the normal Service Desk theme.

Potentially breaking changes

Behaviours have been fixed so that when getting the value for a priority, it correctly returns a Priority object.

For example, so now you can correctly do:

getFieldById("priority").value?.name == "Highest"

If previously you were comparing the string value, for instance:

getFieldById("priority").value == "1"

you can either replace with code like the above, or change .value to .formValue.

Hide or disable tabs on Jira issue screens

You can now hide or disable entire tabs with Behaviours. You might wish to do this to prevent a category of field attributes being edited at certain stages of the workflow, or by certain groups or roles.

Set Allowed Options for Radio and Checkbox Fields

You can now use setFieldOptions to restrict the available options for radio and checkbox custom fields, in exactly the same way as with select and multiselect fields.

Script Search Within Script File Input

You now have the ability to search for scripts contained within your configured script roots inside ScriptRunner. Wherever you used to be able to paste the path of a script, you can now search for the script directly in the file input. Simply start typing the name of your script and the search will present suggestions that you can select!

Execute Script Action in Automation for Jira

We now provide an action allowing you to run your own script, in Automation for Jira. More.

Please restart your system after installing the update if you intend to use this integration, otherwise you may get an error when saving the rule. We are investigating why this may happen.

Compatibility with Jira 7.7 and Jira Service Desk 3.10.0

Compatibility with latest Jira release.

Potential XSS Issues Fixed

Insufficient escaping may have allowed a vulnerability via XSS. However we judge the severity of this vulnerability as "low" as it would require a specific sequence of actions by an administrator.

Bug fixes

  • [SRJIRA-44] - Behaviours: A read-only Version field can be emptied using delete key
  • [SRJIRA-77] - Required fields are not displayed when scrolling
  • [SRJIRA-643] - Field not consistently read-only with inline editing
  • [SRJIRA-689] - The Cascading select list first value equal to example wrong
  • [SRJIRA-791] - Behaviour didn't work for transitions (like in the past)
  • [SRJIRA-869] - Script Registry logs ERROR and Exception for validators
  • [SRJIRA-877] - Syntax check in Script Registry shows mangled script and errors
  • [SRJIRA-1325] - Adding a behaviour to the Due Date field does not disable inline editing
  • [SRJIRA-2142] - Behaviours ignores multi user picker custom field
  • [SRJIRA-2186] - LastComment function throws an error if there are no comments
  • [SRJIRA-2204] - Cannot use Behaviours on Original Estimate and other time tracking fields
  • [SRJIRA-2205] - Jira comment behaviours broken in Issue View Screen
  • [SRJIRA-2212] - Behaviours sometimes don't work for full screen create/edit issue dialogs
  • [SRJIRA-2229] - Inconsistent setError in Behaviours
  • [SRJIRA-2257] - Escalation Service Throws an Exception
  • [SRJIRA-2320] - Setting Comment field to "required" via Behaviors results in an inconsistent red asterisk
  • [SRJIRA-2341] - Setting linked issues field as not required in behaviours does not unmark the field as required
  • [SRJIRA-2344] - Link does not create on issue for Confluence Pages
  • [SRJIRA-2345] - No red asterisks shown after enabling the Validator Plugin (JSU) in Behaviours on the Create issue screen
  • [SRJIRA-2354] - Behaviours set Description added multiple times
  • [SRJIRA-2355] - Behaviour on Component/s field result in an Uncaught TypeError when set to required and the project has no components
  • [SRJIRA-2396] - <script> tag causes the script registry to not load
  • [SRJIRA-2399] - Copy Project script fails to copy users and roles
  • [SRJIRA-2416] - Behaviours do not return the value of the Sprint field as expected
  • [SRJIRA-2423] - Behaviour Mapping Setup shows duplicate Sub-task issue types
  • [SRJIRA-2447] - Setting up a Dev Environment instructions don't work for latest SR Version
  • [SRJIRA-2452] - On transition screens fix version/s red asterisk persists when set to not required via Behaviour
  • [SRJIRA-2456] - Behaviours: Setting the Assignee field as required does not work
  • [SRJIRA-2531] - Links are broken in Script Information dialog
  • [SRJIRA-2540] - IE11issues caused by use of includes
  • [SRJIRA-2544] - In FieldBehaviours class there is typo which throws exception.
  • [SRJIRA-2559] - Fix location and structure of help text
  • [SRJIRA-2569] - ProjectRole* events are not listed in Script Listener Event list
  • [SRJIRA-2577] - If a behaviour is configured - Script registry fails
  • [SRJIRA-2581] - Test Runner Removes Configured Scripted Fields and Listeners
  • [SRJIRA-2583] - Behaviours editing GUI rewrite
  • [SRJIRA-2584] - codemirror linting broken
  • [SRJIRA-2585] - Builds infrastructure improvements
  • [SRJIRA-2597] - Can't have a behaviour on issue type anymore
  • [SRJIRA-2605] - Behaviours documentation is wrong due to .getValue change
  • [SRJIRA-1319] - Add current http request to behaviours script bindings
  • [SRJIRA-1385] - Ability to hide/show entire tabs
  • [SRJIRA-2207] - Add an expandable example showing how to change the default FROM email address
  • [SRJIRA-2258] - hasRemoteLinks JQL function
  • [SRJIRA-2353] - Lock the issueFunction custom field
  • [SRJIRA-2387] - Behaviours: Extend use of the setFieldOptions function to other field types
  • [SRJIRA-2546] - Implement helping pop-up for JSD Fragments
  • [SRJIRA-2557] - Ability to set change the name of the field via Behaviours
  • [SRJIRA-2315] - Implement Web Fragments for JSD
  • [SRJIRA-2319] - As an Administrator, I need the Send Customer Email script to automatically send emails to Approvers and members of Organizations to keep everyone informed of activities in ServiceDesk
  • [SRJIRA-2402] - As a Jira Administrator, I need to be able to load Conditions and Validators from source files so my whole ScritpRunner customization can be code reviewed and deployed to a file system
  • [SRJIRA-2429] - Provide an interface for selecting which script file to apply to any given automation, rather than writing out the file by name
  • [SRJIRA-2103] - Behaviours API does not expose getConfigsFor()
  • [SRJIRA-2382] - Midori Better Excel Docs Example
  • [SRJIRA-2519] - User Guide - Scripted Fields and Displaying links
  • [SRJIRA-2596] - Update Build Plan to include 7.7
  • [SRJIRA-2598] - Compatibility with Jira 7.7.0 & SD 3.10.0
  • [SRPLAT-249] - Built In Scripts Not Ordered and naming inconsistency
  • [SRPLAT-127] - Separate log file for ScriptRunner logging