Category Archives: Continuous Integration

SWAMP Plug-Ins Update

The SWAMP’s open source software and plug-ins for Eclipse and Jenkins were updated recently. Noteworthy changes are listed below. More information about our plug-ins (https://continuousassurance.org/plug-ins/) and open source software (https://continuousassurance.org/open-source-software/) can be found on our website.

Eclipse plug-in version 1.0.5:

  1. Fixed a bug that was causing executable bits in the file permissions to not be preserved in the uploaded archives
  2. Fixed a bug that causes results to not be displayed for tools that don’t have bugGroup
  3. Enhanced to use the new platform names that were introduced in SWAMP version 1.31

Jenkins plug-in version 1.0.5:

  1. Enhanced to use the new platform names that were introduced in SWAMP version 1.31
  2. Enhanced assessment status reporting on the console
  3. Fixed a bug that was causing intermittent logouts from SWAMP

Java-cli version 1.3.1:

  1. Added documentation and javadoc for SwampApiWrapper
  2. Added -—quiet Mode for each sub-command
  3. UUID is now printed as the first segment in the output; this should make automation easier.
  4. Changed —-XXX-name options for various sub-commands, now renamed to —name
  5. The undocumented 1.2 version was deprecated.

SWAMP Plug-Ins for Eclipse, Git/SVN, Jenkins

Make sure you are taking advantage of everything the SWAMP has to offer! The SWAMP has created a variety of plug-ins to integrate into the software development lifecycle and to support continuous integration. The SWAMP’s plug-ins are open-source and can connect to the SWAMP site or to your own SWAMP-in-a-Box. Find them here: https://continuousassurance.org/plug-ins/.

  • Eclipse: The Eclipse plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and view the results within the Eclipse Integrated Development Environment (IDE).
  • Git and Subversion: This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
  • Jenkins: The Jenkins plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Results and trend data can be viewed on the SWAMP website or directly in Jenkins.

SWAMP is at OSCON 2017!

If you are in Austin, TX this week for OSCON 2017, the SWAMP Team wants to see you! If you still need to register for the conference, use our discount code, SWAMP25, to save 25% on your admission.

Visit the Software Assurance Marketplace in Booth #518 on May 10th and 11th! We will be demoing our new plug-ins along with the newest features in SWAMP-in-a-Box.

Several SWAMP team members will also be giving presentations during the conference:

Read more about the SWAMP’s activities here.

OSCON 2017 Exhibiting Banner

SWAMP Integrates Assurance Tools into the Software Continuous Lifecycle

FOR IMMEDIATE RELEASE:
May 2, 2017

SWAMP integrates assurance tools into the software continuous lifecycle

Moves mark a major step toward the SWAMP’s vision of continuous assurance

AUSTIN, TX–(Marketwired – May 02, 2017) – OSCON 2017 – The Software Assurance Marketplace (SWAMP) is partnering with major continuous integration systems used by software developers to make software assurance a simple and intuitive element of the development process.

The SWAMP offers a suite of plug-in modules that operate within many of the leading development lifecycle tools relied upon by code developers. Those include integrated development environments (IDEs) such as Eclipse; source code repositories such as GitHub and Subversion; and continuous integration systems such as Jenkins and Travis CI.

These environments, repositories and systems are dramatically improving software developers’ ability to manage workflow through the complex steps of designing, editing, testing and deployment. Given the increased awareness of the importance of developing safe and secure software, incorporating security tools into the continuous software process will make integration that much more efficient for developers.

“We want to ensure that someone going through the continuous integration process can take the extra step of software assurance, and just make it a natural part of the flow,” says Barton Miller, chief scientist of the SWAMP and professor of computer science at the University of Wisconsin-Madison.

“The goal is to fix security issues as soon as possible in the development cycle,” Miller adds. “Every security weakness fixed at the developer’s desktop has a trivial cost, but those same errors could cost millions to fix after release.”

With the push of a button, users in integrated development environment (IDEs) can start the testing process by having their code automatically packaged and sent to the SWAMP. The code will get analyzed across the multiple assurance tools hosted in the SWAMP and the results will be fed back into the IDE in a readable format, prioritizing flaws by level of severity.

Users with higher security thresholds can also run SWAMP analysis entirely in-house. Called “SWAMP-in-a-Box” (SiB), this free, self-contained version of continuous assurance capabilities can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise.

The SWAMP employs federated identity management protocols, so users will not need distinct login credentials for using the SWAMP plugins.

To access the free SWAMP plugins, visit: https://continuousassurance.org/plug-ins/.

“Between the source code repositories, the IDEs and the integration frameworks, we have tried to cover the entire spectrum of software development,” says Miller. “There are almost no real-world projects that don’t use one or more of these systems.”

“This new suite of plugins is a major step in translating the continuous assurance vision of the SWAMP into accessible and easy-to-deploy technologies,” says SWAMP Director Miron Livny, UW-Madison computer scientist and director of core computational technology for the Morgridge Institute for Research.

Miller and colleague Dr. Elisa Heymann will present a tutorial — “Secure Coding Practices and Automated Assessment Tools” — on Monday, May 8 from 9 a.m. – 1:30 p.m. at the O’Reilly OSCON 2017 conference in Austin. For more information, visit: https://conferences.oreilly.com/oscon/oscon-tx/public/schedule/speakers.

ABOUT THE SWAMP

The Software Assurance Marketplace is a joint effort of four research institutions — the Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison — to advance the capabilities and to increase the adoption of software assurance technologies through an open continuous assurance technologies and a shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 30 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit continuousassurance.org.

###

Contact:
Barton Miller
608-263-3378
bart@cs.wisc.edu

Press Release

From Continuous Integration to Continuous Assurance

The SWAMP team at the University of Wisconsin-Madison’s Computer Sciences department released a new whitepaper titled “From Continuous Integration to Continuous Assurance.” The paper describes how the SWAMP can be integrated into the continuous assurance workflow, including integrated development environments, source code management systems, and continuous integration systems. Read the full document here.

Citation information for the white paper is below.

MLA: Kupsch, James A., Miller, Barton P., Basupalli, Vamshi, and Burger, Josef. “From Continuous Integration to Continuous Assurance.” Continuous Software Assurance Marketplace, 13 Apr. 2017. Web. <https://www.swampinabox.org/doc/SWAMP-WP005-DevProcess.pdf>.

APA: Kupsch, J.A., Miller, B.P., Basupalli, V., & Burger, J. (2017, April 13). From Continuous Integration to Continuous Assurance [PDF file]. Continuous Software Assurance Marketplace. Retrieved from https://www.swampinabox.org/doc/SWAMP-WP005-DevProcess.pdf

Recent Entries »