Category Archives: mir-swamp.org

Updates to BugInjector Test Cases in SWAMP

Updates to the BugInjector test cases are now available in the SWAMP! Visit mir-swamp.org, click on the Resources tab, and click on the Packages link for a list of publicly available packages for testing. There are 11 BugInjector packages for C/C++, each containing hundreds of different versions with injected CWEs, or known weaknesses. After selecting a package version containing a CWE of interest, run an assessment of the chosen “bug injected” software using one or more software assurance tools in the SWAMP.

For more information about BugInjector, view the press release.

 

SWAMP Maintenance: Tuesday, June 11, 2019 10am-2pm Central

SWAMP Maintenance Notification:

Tomorrow, Tues. June 11th, between 10:00 AM and 2:00 PM Central Time, the SWAMP website (mir-swamp.org) will experience a brief outage for routine maintenance. During this outage, updates to the SWAMP will be occurring, including general enhancements, bug fixes, and performance improvements.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Update 1.34.3

The following SWAMP updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.3 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • A new version of the PHPMD tool for scripting languages (PHP) is available: version 2.6.0-swamp. This version includes a custom patch for a bug in the tool that prevents assessment of some packages.
  • A new version of the Flow tool for scripting languages (JavaScript) is available: version 0.98.0.
  • A new version of the SpotBugs tool for Java is available: version 3.1.12.
  • A new version of the error-prone tool for Java is available: version 2.3.1.
  • A new version of the checkstyle tool for Java is available: version 8.20.
  • We have improved the performance of the proxy used to connect to Code Dx web servers in viewer VMs.

Let us know if you have any questions at support@continuousassurance.org.

Secure Your Software with SWAMP

SWAMP Secure Your Software Gear Logo

 

What’s hiding in your code?

Discover bad coding practices, bugs, weaknesses, and vulnerabilities by scanning your own software or software that you’d like to use in the SWAMP. There are two ways to use the SWAMP: the ready-to-use cloud computing platform at mir-swamp.org or by downloading the SWAMP-in-a-Box (SiB) open-source distribution. SWAMP also has a Java command line interface, a GitHub webhook, and plugins for Java, Eclipse, and Git/SVN.

Use the SWAMP in 3 simple steps:

1) Upload a package.
2) Run assessments.
3) View results.

SWAMP Update 1.34.2

The following SWAMP updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.2 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • Improvements to the SWAMP’s Native Results Viewer.
    • The weaknesses shown can now be filtered by bug type.
    • The locations of weaknesses within the affected code files are shown. Specifically, each weakness listed provides a link to a page showing the code file in which that weakness is located with the specific line of code flagged. Additionally, the Native Viewer has a tree view of the files and directories included in the package archive and provides a count of weaknesses per file and a code view of files with all weaknesses flagged.
  • General enhancements and bug fixes for SWAMP-in-a-Box.
    • SWAMP-in-a-Box user sign-in works when using an Active Directory server with multiple, hierarchical DNs (distinguished names).
    • SWAMP-in-a-Box assessments run for users where the user_uid includes an “@” character, which happens when SWAMP-in-a-Box uses an LDAP/AD server for user authentication and the SWAMP User ID maps to an LDAP/AD attribute that has values containing an “@”.
    • You can now specify when the SWAMP layout cookie expires in number of days. Use an integer value for cookie.expires in the web front end configuration file (/var/www/html/config/config.json).
    • The SWAMP-in-a-Box web server no longer includes access-control related headers in responses if the APP_CORS_URL is the same as APP_URL in the .env configuration file (/var/www/swamp-web-server/.env).
    • The upgrade script has been updated to prevent problems with a SWAMP-in-a-Box install not including tool metadata records. When creating an assessment, platforms can now be selected for individual tools.

Let us know if you have any questions at support@continuousassurance.org.

« Older Entries