The following updates are now available at mir-swamp.org!
- The Code Dx assessment result viewer has been updated to version 2.8.3. When viewing existing results, Code Dx will prompt to upgrade existing Code Dx data.
- Sonatype Application Health Check is now available for assessing Java packages. To use the tool, you must request permission and provide information, including your email; this information is sent to Sonatype. When running an Application Health Check assessment, the tool sends a snapshot of your package to Sonatype and provides summary information about components that may include weaknesses or licensing issues. When reviewing results, you will see the summary information and may request detailed information from Sonatype.
- CentOS 7 (64-bit) and Scientific Linux 7 (64-bit) assessment platforms are available for C/C++.
- The Parasoft C/C++test and Jtest assessment tools were updated to version 10.3.3.
- SWAMP users can download the SCARF .xml file from commercial tool assessments, provided the EULA for the tool has been accepted.
- SWAMP users can add a comma-separated list of paths to files or directories to exclude them from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
- The web user interface automatically sets the build system for Web Scripting packages (Composer and NPM) and Python (Build with Setup Tools) packages when it detects a build file.
- The web user interface was improved to better set the Configure and/or Build Path (relative to the Package Path) when it detects a build or configure file that is not directly in the Package Path.
- There is a script available on the SWAMP GitHub page that will package an active development directory into an archive suitable for uploading as a SWAMP package. Links to this script are provided on the Details page for uploading a new package and on the SWAMP Resources page.
- SWAMP-in-a-Box v1.33 is available.
- General enhancements and bug fixes.
Let us know if you have any questions at email@example.com.
Noteworthy changes include:
- SWAMP-in-a-Box administrators can now configure where the SWAMP web application’s backend stores its log entries. After installing or upgrading to SWAMP-in-a-Box version 1.33, the web application’s backend will create daily log files in /var/www/swamp-web-server/storage/logs. The web application’s backend can also be configured to make log entries in the system log, which is where they were made in previous versions of SWAMP-in-a-Box. Refer to the SWAMP-in-a-Box Reference Manual for details.
- CentOS and Scientific Linux 7 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. Any versions of GrammaTech CodeSonar and Synopsis Static Analysis (Coverity) that were previously installed will not work with these new platforms. Refer to the SWAMP-in-a-Box Administrator Manual for instructions on re-creating the SWAMP tool archives for these tools and adding them to the SWAMP.
- Updated versions of the CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. If a CentOS or Scientific Linux 6 platform was previously installed, download and install these new versions.
- Code Dx version 2.8.3, a viewer for analyzing the results from assessments, can now be added to a SWAMP-in-a-Box installation. You must obtain Code Dx separately from Code Dx, Inc.
- To support SWAMP-in-a-Box installations that do not have internet access, we have updated the tool archive for retire.js version 1.2.10 to include documentation and scripts for creating a version of the tool archive that bundles vulnerability data instead of downloading it from the internet for each assessment.
- SWAMP-in-a-Box no longer requires that the host be configured with a timezone of UTC, and the SWAMP-in-a-Box installer and upgrader no longer modifies the host’s timezone. All dates and times in the SWAMP web application are displayed in the web browser’s local time. All dates and times in log files are in the host’s local time. All dates and times stored with database records are converted to UTC.
- SWAMP-in-a-Box now includes a script for checking the health of the installation. Refer to the Troubleshooting section of the SWAMP-in-a-Box Administrator Manual for details.
- SWAMP users can now add a list of paths to files or directories to exclude from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
- General enhancements and bug fixes.
Let us know if you have any questions at firstname.lastname@example.org.
The SWAMP will be exhibiting at OSCON 2018, and we’d love to meet you in Portland, OR! Next Friday, April 20th, is the last day to get the “Best Price” on conference passes. Use our discount code, SWAMP25, to save 25% on your Gold, Sliver, or Bronze OSCON pass.
Dear SWAMP Users,
A MODERATE security vulnerability was discovered that affects the following versions (and earlier) of the SWAMP plug-ins and libraries on shared systems. Users who are not using any of the following plug-ins or libraries are not affected by this vulnerability.
- swamp-scms-plugin 1.3.4 and earlier
- swamp-eclipse-plugin 1.1.0 and earlier
- swamp-jenkins-plugin 1.1.1 and earlier
- java-cli 1.4.1 and earlier
WHAT IS THE VULNERABILITY
When a vulnerable version of the software is run on a host by a user, it is possible for an attacker with an account on the same host to impersonate the user’s SWAMP identity and gain access to their SWAMP account. For each successful attack, the attacker will be able to impersonate the user for a maximum time period of two days.
WHAT YOU SHOULD DO
SWAMP users using affected plugins and libraries are recommended to update to the most current versions as soon as possible if they have not done so already. The vulnerability is remediated in the following versions or later:
- swamp-scms-plugin 1.3.5
The latest version can be downloaded from https://github.com/mirswamp/swamp-scms-plugin/releases/tag/releases%2F1.3.5. Update instructions can found at https://github.com/mirswamp/swamp-scms-plugin.
- swamp-eclipse-plugin 1.1.1
The latest version can be downloaded and installed directly from within Eclipse. Update instructions can found at https://github.com/mirswamp/swamp-eclipse-plugin.
- swamp-jenkins-plugin 1.1.2
The latest version can be downloaded and installed directly from within Jenkins. Update instructions can found at https://github.com/mirswamp/swamp-jenkins-plugin.
- java-cli 1.4.2
The latest version of the .jar file and source code can be downloaded from https://github.com/mirswamp/java-cli/releases/releases%2F1.4.2.
Please contact SWAMP staff if you have any questions or concerns at email@example.com.