Hosted .NET Packages for Testing on MIR-SWAMP

Posted on by Leave a comment

The Software Assurance Marketplace now hosts a curated collection of .NET software packages for testing on mir-swamp.org. These packages can be viewed under Resources > Packages > filter on the .NET package type. Log in to your SWAMP account to run assessments of these packages with the .NET tools currently supported in the SWAMP.

SWAMP Packages page showing filtered .NET package types

SWAMP-in-a-Box Update 1.34.1

Posted on by Leave a comment

SWAMP-in-a-Box version 1.34.1 is now available! The latest files can be obtained from the SWAMP-in-a-Box download server now or found on GitHub in the next few days.

Noteworthy changes include:New

  • SWAMP-in-a-Box now supports Code Dx version 3.5.5 to view results. You must obtain Code Dx separately from Code Dx, Inc. Please refer to the SWAMP-in-a-Box Administrator Manual for details on how to install Code Dx as an additional results viewer. If you have added Code Dx 2.8.3 to an existing SWAMP-in-a-Box installation, adding Code Dx 3.5.5 will automatically replace the older version with Code Dx 3.5.5.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP-in-a-Box Update 1.34

Posted on by Leave a comment

SWAMP-in-a-Box version 1.34 is now available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess. Python 3.4 is now installed as an OS dependency for SWAMP-in-a-Box; this is required for the analysis of uploaded .NET packages to determine which .NET projects can be assessed on a Linux platform.
  • We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1. These tools are automatically deployed on SWAMP-in-a-Box.
  • GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
  • A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
  • Assessments of Android Java Source and Android .APK packages can be enabled in SWAMP-in-a-Box. To do so, download and install as an add-on the Android Ubuntu platform image. (It is quite large.) When that platform is added, the Android Java Source and Android .APK package types are enabled. Android specific tools are installed with SWAMP-in-a-Box 1.34, but they cannot be used for assessments until the Android Ubuntu platform is added.
  • SWAMP packages can now be generated via an External URL that points to a downloadable archive.
  • For users who are in multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project when adding new assessments.
  • HTCondor is now configured to preempt an assessment or metric run to create a slot for a Code Dx viewer run when all slots are in use.
  • An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.34.
  • The platform image files for all SWAMP platforms have been updated to provide a workaround for a bug in guestfish version 1.38 (https://bugzilla.redhat.com/show_bug.cgi?id=1661038). SWAMP 1.34 is required to run VMs with the new platforms, which have a date in the filename of 2019 or later. SWAMP 1.34 is compatible with pre-2019 versions of platforms; however, pre-2019 platforms will not currently work with guestfish 1.38 (which is distributed with the latest CentOS 7). If you are running a SWAMP-in-a-Box in CentOS 7, you should upgrade to SWAMP-in-a-Box 1.34 and upgrade any additional platforms you have installed as add-ons.
  • There is now a script available to restore a database backup (made as part of the SWAMP-in-a-Box upgrade process). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • You can now configure SWAMP-in-a-Box to display a custom welcome message on the home page (not signed-in). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • We updated the SWAMP configuration for all available versions of the Flake8 assessment tool. This allows Flake8 to be configured in a SWAMP-in-a-Box environment. Specifically, parameters can be set in the services.conf file for the SWAMP to enable checks, disable checks, and set the max-line-length for line length checks.
  • We changed the way the web front-end for SWAMP-in-a-Box identifies the corresponding web server. Specifically, the web server configured in /var/www/html/config/config.json is now a relative path instead of an absolute URL. This change affects the way the Java CLI and related SWAMP plugins connect to a SWAMP-in-a-Box API. SWAMP plugins have been updated to accommodate this change. SWAMP-in-a-Box 1.34 will only work with the following versions: Java CLI version 1.5.2 or higher; SWAMP Eclipse Plugin version 1.1.2 or higher; SWAMP Jenkins Plugin version 1.2.1 or higher.
  • The SWAMP discontinued support for the Ubuntu 10.04 assessment platform. If this platform was installed as an add-on, it will be removed when upgrading to SWAMP-in-a-Box 1.34.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

Updates on mir-swamp.org

Posted on by Leave a comment

The following updates are now available in the SWAMP at mir-swamp.org! New

  • The SWAMP now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess.
  • We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1.
  • GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
  • A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
  • SWAMP packages can now be generated via an External URL that points to a downloadable archive.
  • When a new SWAMP user account is created, a default project called “MyProject” is created automatically. “MyProject” is now viewable in the SWAMP user interface. Users are not able to edit or invite additional members to their “MyProject” projects. All packages users upload to the SWAMP are automatically shared with their “MyProject” project.
  • For users who are owners or members of multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project to use when adding new assessments.
  • The Build Script for a package version is now displayed on a separate pop-up, accessed by clicking the Show Build Script button. This applies to the Build page for adding new packages, adding a new package version to existing packages, and viewing and editing an existing package version.
  • When adding a package or package version for C/C++ or Java Source Code without a build system, users can now specify a “build path” (relative to the package path) that specifies the (non-recursive) directory containing the compilable files to assess. SWAMP now does a better job of informing users about the files that are selected to compile and assess.
  • SWAMP now does a better job of informing users about the files that are selected to assess for Ruby, Python, and Web Scripting packages with a build system of “none.”
  • The SWAMP Native Results Viewer now correctly displays the primary bug location instead of the first bug located for weaknesses reported by tools that include multiple bug locations.
  • The SWAMP discontinued support for the Ubuntu 10.04 assessment platform.
  • SWAMP-in-a-Box v1.34 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at support@continuousassurance.org.

GrammaTech Adds Real World Benchmarks to SWAMP

Posted on by Leave a comment

FOR IMMEDIATE RELEASE:
January 31, 2019

GrammaTech Adds Real World Benchmarks to SWAMP

MADISON, WI – (January 31, 2019) – Software development and quality managers that are looking to measure the benefit of static analysis now have a platform to do just that. GrammaTech, under contract for the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), has created independent real-world benchmarks that are now available in the Software Assurance Marketplace (SWAMP).

Several different synthetic benchmarks exist that can be used to measure how well static analysis tools perform in detecting bugs. However, many of these have limitations with the code paths typically being too simple. GrammaTech, under contract for DHS S&T, has created BugInjector, a tool that can inject Common Weakness Enumeration (CWE) based bug patterns into existing code bases, thus delivering real-world benchmarks. The BugInjector tool is available directly from GrammaTech to inject bugs into private code bases for training purposes. Additionally, four different real-world code bases (nginx, grep, sqlite, lighttpd) have been injected with bugs and are available through the Software Assurance Marketplace, enabling users to easily benchmark how well their static analysis tools are able to find these bugs in realistic code paths.

“There is an urgent need for benchmarks, such as those from GrammaTech, to allow software developers to evaluate static analysis tools in a comprehensive and real-world setting,” says Barton Miller, Professor of Computer Sciences at the University of Wisconsin – Madison and Chief Scientist of SWAMP. “Also, developers of static analysis tools now have the ability to enhance their tools or benchmark new static analysis technologies with realistic test cases. Integrating these benchmarks into the SWAMP platform increases their effectiveness and availability.”

“GrammaTech CodeSonar® has always focused on highest recall,” says Paul Anderson, VP of Engineering at GrammaTech, Inc. “Many tools claim that they can catch a particular CWE, but there has never been a way to measure how well tools perform if this CWE is hidden deep inside a code path. BugInjector provides an automated way to objectively measure static analysis tool recall; interested parties can now evaluate CodeSonar®’s market leading recall against other tools easily.”

The Software Assurance Marketplace’s static analysis capabilities are available for use in the cloud or on-premise at no cost. Interested parties can sign up to use the SWAMP at mir-swamp.org and find the BugInjector test cases on the Resources page under Packages. After selecting a package and version containing a CWE of interest, users can run an assessment of the chosen “bug injected” software using one or more software assurance tools. GrammaTech CodeSonar® is one of the commercial tools that is integrated into the SWAMP, along with many other open source static analysis tools. Users can also download BugInjector test cases to run against tools they are developing.

ABOUT GRAMMATECH

GrammaTech’s advanced static analysis tools are used by software developers worldwide, spanning a myriad of embedded software industries including avionics, government, medical, military, industrial control, and other applications where reliability and security are paramount. Originally developed within Cornell University, GrammaTech is now a leading research center for software security and a commercial vendor of software-assurance tools and advanced cyber-security solutions. With both static and dynamic analysis tools that analyze source code as well as binary executables, GrammaTech continues to advance the science of superior software analysis, providing technology for developers to produce safer software. For more information, visit www.grammatech.com or follow us on LinkedIn.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 500 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit https://continuousassurance.org.

###

https://www.prnewswire.com/news-releases/grammatech-adds-real-world-benchmarks-to-swamp-300787603.html
http://news.grammatech.com/grammatech-adds-real-world-benchmarks-to-swamp

« Older Entries Recent Entries »