Author Archives: ilandrum

Transition of SWAMP Software

beverage break breakfast brown

Photo by Pixabay on Pexels.com

Dear Continuous Assurance Community,

We are reaching out to inform you the SWAMP project that has been funded by the Science and Technology Directorate of the Department of Homeland Security, has ended as of 05/31/2020. This marks a significant time of transition in our ongoing commitment to advancing and promoting the methodologies of continuous software assurance. We appreciate all the support we have received throughout the eight years of the project from the software development community, our user base and our collaborators. Despite the end of the project, we remain committed to supporting, with our platform, the educational community in teaching and training continuous software assurance techniques and practices.

Over the next few weeks, we will be working on transitioning the facility to a future, sustainable model. As a part of this, we will be working on providing a new hosted service for the educational community. We will keep the continuous assurance platform on our GitHub organization, ensuring the downloads of Software assurance-in-a-Box (SiB, formerly SWAMP-in-a-Box), plugins functionality, and looking at providing hosted SiB instances on request. For users of the facility at mir-swamp.org, we will keep your data available until August 25, 2020 for download. Afterward, we will start the process of shutting down the mir-swamp endpoint and removing any account data. Please contact us if you need assistance in this process at support@continuousassurance.org.

Again, we want to thank you for all the support and connections we made throughout the years in the software development community. Please do not hesitate to reach out to us with any questions you may have. We look forward to staying connected with you.

Sincerely,

The SiB Team

SWAMP UPDATE 1.35

New icon

The following updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.35 files can be obtained from the download server or from GitHub.

This will be the last major, new development release until further notice.

Noteworthy changes include:

  • We have improved the Error Report available for assessments that finish with errors. Additionally, the Error Report now includes a link to the new help document, “SWAMP Output and Debugging” (formally known as “Status.out and Debugging SWAMP Failures”). This document is also available from the Help page in both PDF and HTML formats.
  • SWAMP now indicates when an assessment is successful but one or more of the code files for a C/C++ or Java No Build package is not able to be compiled and assessed.
  • SWAMP now warns when an assessment appears successful but there were no applicable code files to assess.
  • New VM master images are available for the Debian (7.11 and 8.11) platforms. These images include a fix that allows packages with specified OS dependencies to download those dependencies prior to build and assessment.
  • The version of OWASP Dependency Check previously available in SWAMP is no longer supported and has been removed from the SWAMP list of tools.
    • Note: Because OWASP Dependency Check was the only SWAMP tool available to assess Android .apk packages, the Android .apk package type has been disabled.
  • General enhancements and bug fixes

Changes specific to SWAMP-in-a-Box include:

  • Docker Containers can now be used instead of (or in addition to) Virtual Machine (VM) images for running assessments.
  • SWAMP-in-a-Box can itself run in a Virtual Machine environment (such as AWS) without the need to have nested virtualization enabled by using Docker containers in place of VMs.
    • Note: Use of the Code Dx result viewer with SWAMP-in-a-Box still requires a Virtual Machine and therefore nested virtualization.
  • SWAMP-in-a-Box is no longer initially deployed with any assessment platforms. Adding at least one platform is now an additional required step.
  • Supported VM platforms previously installed with or added to SWAMP-in-a-Box installations will still be available after an upgrade to SWAMP-in-a-Box 1.35. However, depending on what version of SWAMP-in-a-Box you are upgrading from, it is possible that your SWAMP-in-a-Box will not have any platforms available after upgrading to 1.35. Please refer to the SWAMP-in-a-Box Administrator Manual for information about adding platforms. VM or Docker images for platforms can be downloaded from here.
  • SWAMP-in-a-Box now requires that the .war file for Code Dx be embedded in the VM master images used for Code Dx viewers. This improves the time it takes to initially run a viewer VM and start Code Dx for a given SWAMP project. If you have added Code Dx as a viewer for a SWAMP-in-a-Box installation, you will need to download a new viewer VM master image that corresponds with your version of Code Dx and then re-add Code Dx as a SWAMP-in-a-Box add-on. VM master images for use with Code Dx can be downloaded from our download server. Please refer to the SWAMP-in-a-Box Administrator Manual for information on adding Code Dx to a SWAMP-in-a-Box.
  • If you have added OWASP Dependency Check as an add-on tool for SWAMP-in-a-Box it will be removed when you upgrade to SWAMP-in-a-Box 1.35.

Let us know if you have any questions at support@continuousassurance.org

SWAMP UPDATE 1.34.6

New icon

The following updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.6 files can be obtained from the download server or from GitHub.

Noteworthy changes include:

  • We made significant updates to 3rd party sign-up and sign-in have been made. These allow Google sign-in to work after the Google+API was deprecated.
  • Python 3 is now the default language version for Python packages
  • Improvements for archiving downloaded packages from external URLs
  • A new version of Flow (version 0.112.0) is available for assessing web scripting packages that contain JavaScript. This version replaces all other versions.
  • A new version of Retire.js (version 2.0.3) is available for assessing web scripting packages that contain JavaScript. This version replaces all previous versions.
  • The SWAMP web API now returns more specific response codes for successful responses (response codes in the 200-299 range). Newer versions of the SWAMP plugins support the expanded response codes. New versions of the plugins can be found on our GitHub organization’s page.
  • We have updated assessment platform images and dependencies on those platforms.
  • We have discontinued support for Fedora 18, 19, and 20 assessment platforms
  • We have updated backend frameworks to include upgrading to Laravel 7.2
  • General enhancements and bug fixes

Changes specific to SWAMP-in-a-Box include:

  • A new version of Retire.js (version 2.0.3) is available for assessing web scripting packages that contain JavaScript. This version replaces all previous versions. Retire.js requires an internet connection to download the latest information about potential weaknesses. If you have configured a SWAMP-in-a-Box to run without an internet connection you will need to create a new, custom version of Retire.js v2.0.3 to run without internet access. Please refer to the SWAMP-in-a-Box Administrator Manual section 4.3
  • We have updated assessment platform images and dependencies on those platforms. For SWAMP-in-a-Box installations, the Ubuntu 16.04 new platform will be deployed with an upgrade to v1.34.6. For other new platforms you can download the new images and add them to your SWAMP-in-a-Box instance. Please refer to the SWAMP-in-a-Box Administrator Manual for instructions.
  • A new Android Ubuntu 12.04 platform is available for download. This image includes the Android SDK from late 2019. This image is requires significant storage due to the Android SDK. Please refer to the SWAMP-in-a-Box Administrator Manual prior to downloading. The compressed image is approximately 76 GB and the uncompressed image is approximately 150 GB. You can download the Android Ubuntu platform from our download server.
  • We have discontinued support for Fedora 18, 19, and 20 assessment platforms. If you have any of these platforms installed as add-ons, they will be removed when you upgrade to v1.34.6

SWAMP-in-a-Box Update: Developer’s Preview Release v1.35

New iconThe SWAMP-in-a-Box developer’s preview release v1.35 is now available! Note worthy updates in the version include:

  • Ability to run assessments on an Ubuntu 16.04 Docker container
  • Installing SWAMP-in-a-Box on AWS (Amazon Web Services) and run assessments in Docker

Let us know if you have any questions at suppport@continuousassurance.org.

Note: A v1.35 stable release will follow later this Spring.