Author Archives: tormwill

DevOpsDays Baltimore – SWAMP Discount

If you are going to be in Baltimore, MD on March 21-22 for DevOpsDays Baltimore, stop by to see the SWAMP team! When registering for the conference, use the SWAMP’s discount code SWAMPFRIENDS to save 10% on your registration. The SWAMP team will be providing demos and answering questions about the SWAMP’s open source software, including SWAMP-in-a-Box and SWAMP plug-ins for Eclipse, Jenkins, and Git/Subversion.

Register for DevOpsDays here.

SWAMP Plug-Ins Update

The SWAMP’s open source software and plug-ins for Eclipse and Jenkins were updated recently. Noteworthy changes are listed below. More information about our plug-ins (https://continuousassurance.org/plug-ins/) and open source software (https://continuousassurance.org/open-source-software/) can be found on our website.

Eclipse plug-in version 1.0.5:

  1. Fixed a bug that was causing executable bits in the file permissions to not be preserved in the uploaded archives
  2. Fixed a bug that causes results to not be displayed for tools that don’t have bugGroup
  3. Enhanced to use the new platform names that were introduced in SWAMP version 1.31

Jenkins plug-in version 1.0.5:

  1. Enhanced to use the new platform names that were introduced in SWAMP version 1.31
  2. Enhanced assessment status reporting on the console
  3. Fixed a bug that was causing intermittent logouts from SWAMP

Java-cli version 1.3.1:

  1. Added documentation and javadoc for SwampApiWrapper
  2. Added -—quiet Mode for each sub-command
  3. UUID is now printed as the first segment in the output; this should make automation easier.
  4. Changed —-XXX-name options for various sub-commands, now renamed to —name
  5. The undocumented 1.2 version was deprecated.

SWAMP Plug-Ins for Eclipse, Git/SVN, Jenkins

Make sure you are taking advantage of everything the SWAMP has to offer! The SWAMP has created a variety of plug-ins to integrate into the software development lifecycle and to support continuous integration. The SWAMP’s plug-ins are open-source and can connect to the SWAMP site or to your own SWAMP-in-a-Box. Find them here: https://continuousassurance.org/plug-ins/.

  • Eclipse: The Eclipse plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and view the results within the Eclipse Integrated Development Environment (IDE).
  • Git and Subversion: This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
  • Jenkins: The Jenkins plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Results and trend data can be viewed on the SWAMP website or directly in Jenkins.

Tips for Using the SWAMP

Make sure you are taking advantage of everything the SWAMP has to offer! The Software Assurance Marketplace provides a large variety of static analysis tools and an integrated results viewer designed to highlight weaknesses and vulnerabilities in software. Guarantee that the code you write or the code that you intend to use is secure by perfecting use of the SWAMP.

  • Packages: The packages page allows you to upload files containing your code or link to a code repository to be assessed. The SWAMP will walk you through providing information to build the software. The SWAMP supports a variety of programming languages.
  • Assessments: The assessments page is where you set up an assessment to evaluate your software. Choose a software package, one or more static analysis tools, and a platform. Assessments can be run on a scheduled basis to periodically check your code to make sure that it remains secure.
  • Results: The results page allows you to view the results of an assessment run on a software package using one or more tools on a particular platform. By choosing the Code Dx results viewer, you can view the output from several assessments on the same software package and compare the results found by the different tools.
  • Runs: The runs page shows all of your recurring or scheduled assessment runs. Make sure your software is continuously assured by maintaining scheduled runs.
  • Projects: Projects allow you to collaborate with other SWAMP users. Create a new project and invite others to join. Share a package with a project so others can view the software and assessment results.

SWAMP Contributes to Standard Results Format

The SWAMP is now a participating member of the OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee! The first meeting was held on Wednesday, September 6, 2017. With the help of the SWAMP, the committee will define a standard output format for static analysis tools, otherwise known as SARIF. A standard output would make it “feasible for developers and teams to view, understand, interact with, and manage the results produced by all the tools that they use.” SARIF will support the aggregation of results from a variety of static analysis tools, similar to the way that the SWAMP uses SCARF (SWAMP Common Assessment Result Format) with results viewers today, which allows developers to form an overall picture of program quality and quickly detect problems. This collaboration is another step towards lowering the barriers for software assurance and secure coding. Learn more about SARIF by visiting https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.

Spread the Word about SWAMP!

Lines of code give life to modern technologies. As technology continues to evolve and is used by millions of people, it is increasingly important to code securely. It only takes one line of faulty code to disrupt the global economy. Luckily, the Software Assurance Marketplace is here to help. As a free to use open source resource, the SWAMP allows users to test code for vulnerabilities to ensure that all code being used is free of errors.

SWAMP users from Germany, the UK, Paraguay, India, Canada, Italy, the Netherlands, and many other countries are committed to the safety, security, and stability of software around the world. Join them in the fight for secure code! Spread the word about the SWAMP to help us promote software assurance! Learn more, call others to action, and leave comments across our social media platforms!