Category Archives:

Transition of SWAMP Software

beverage break breakfast brown

Photo by Pixabay on

Dear Continuous Assurance Community,

We are reaching out to inform you the SWAMP project that has been funded by the Science and Technology Directorate of the Department of Homeland Security, has ended as of 05/31/2020. This marks a significant time of transition in our ongoing commitment to advancing and promoting the methodologies of continuous software assurance. We appreciate all the support we have received throughout the eight years of the project from the software development community, our user base and our collaborators. Despite the end of the project, we remain committed to supporting, with our platform, the educational community in teaching and training continuous software assurance techniques and practices.

Over the next few weeks, we will be working on transitioning the facility to a future, sustainable model. As a part of this, we will be working on providing a new hosted service for the educational community. We will keep the continuous assurance platform on our GitHub organization, ensuring the downloads of Software assurance-in-a-Box (SiB, formerly SWAMP-in-a-Box), plugins functionality, and looking at providing hosted SiB instances on request. For users of the facility at, we will keep your data available until August 25, 2020 for download. Afterward, we will start the process of shutting down the mir-swamp endpoint and removing any account data. Please contact us if you need assistance in this process at

Again, we want to thank you for all the support and connections we made throughout the years in the software development community. Please do not hesitate to reach out to us with any questions you may have. We look forward to staying connected with you.


The SiB Team


New icon

The following updates are now available for and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.35 files can be obtained from the download server or from GitHub.

This will be the last major, new development release until further notice.

Noteworthy changes include:

  • We have improved the Error Report available for assessments that finish with errors. Additionally, the Error Report now includes a link to the new help document, “SWAMP Output and Debugging” (formally known as “Status.out and Debugging SWAMP Failures”). This document is also available from the Help page in both PDF and HTML formats.
  • SWAMP now indicates when an assessment is successful but one or more of the code files for a C/C++ or Java No Build package is not able to be compiled and assessed.
  • SWAMP now warns when an assessment appears successful but there were no applicable code files to assess.
  • New VM master images are available for the Debian (7.11 and 8.11) platforms. These images include a fix that allows packages with specified OS dependencies to download those dependencies prior to build and assessment.
  • The version of OWASP Dependency Check previously available in SWAMP is no longer supported and has been removed from the SWAMP list of tools.
    • Note: Because OWASP Dependency Check was the only SWAMP tool available to assess Android .apk packages, the Android .apk package type has been disabled.
  • General enhancements and bug fixes

Changes specific to SWAMP-in-a-Box include:

  • Docker Containers can now be used instead of (or in addition to) Virtual Machine (VM) images for running assessments.
  • SWAMP-in-a-Box can itself run in a Virtual Machine environment (such as AWS) without the need to have nested virtualization enabled by using Docker containers in place of VMs.
    • Note: Use of the Code Dx result viewer with SWAMP-in-a-Box still requires a Virtual Machine and therefore nested virtualization.
  • SWAMP-in-a-Box is no longer initially deployed with any assessment platforms. Adding at least one platform is now an additional required step.
  • Supported VM platforms previously installed with or added to SWAMP-in-a-Box installations will still be available after an upgrade to SWAMP-in-a-Box 1.35. However, depending on what version of SWAMP-in-a-Box you are upgrading from, it is possible that your SWAMP-in-a-Box will not have any platforms available after upgrading to 1.35. Please refer to the SWAMP-in-a-Box Administrator Manual for information about adding platforms. VM or Docker images for platforms can be downloaded from here.
  • SWAMP-in-a-Box now requires that the .war file for Code Dx be embedded in the VM master images used for Code Dx viewers. This improves the time it takes to initially run a viewer VM and start Code Dx for a given SWAMP project. If you have added Code Dx as a viewer for a SWAMP-in-a-Box installation, you will need to download a new viewer VM master image that corresponds with your version of Code Dx and then re-add Code Dx as a SWAMP-in-a-Box add-on. VM master images for use with Code Dx can be downloaded from our download server. Please refer to the SWAMP-in-a-Box Administrator Manual for information on adding Code Dx to a SWAMP-in-a-Box.
  • If you have added OWASP Dependency Check as an add-on tool for SWAMP-in-a-Box it will be removed when you upgrade to SWAMP-in-a-Box 1.35.

Let us know if you have any questions at

SWAMP Update 1.34.5

The following SWAMP updates are now available for and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.5 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • A new version of the ESLint tool for assessing Web Scripting packages that contain JavaScript is available: version 6.4.0.
  • A new version of the PMD tool for assessing Java packages is available: version 6.14.0.
  • New versions of the Parasoft C/C++test and Jtest tools for assessing C/C++ and Java packages are available: version 10.4.2.
  • We have deprecated the RevealDroid tool for assessing Android .apk packages.
  • We have deprecated the ruby-lint tool for assessing Ruby packages.
  • We have deprecated the FindBugs tool for assessing Java packages. It is superseded by SpotBugs.
  • We have deprecated older versions of most tools.
  • The CentOS 7.4 and Scientific Linux 7.4 platforms now include updated dependencies and cmake3. The Ubuntu Linux 16.04 platform includes updated dependencies.
  • SWAMP’s Native results viewer now displays weaknesses on the List tab grouped by File. Weaknesses displayed on the List tab include links to open a new page displaying the code for a specific File at a specific Line number, with weaknesses flagged.
  • General enhancements and bug fixes.

Changes specific to SWAMP-in-a-Box include:

  • Support for SWAMP-in-a-Box on CentOS 6 will end with the 1.34.x release series. SWAMP-in-a-Box version 1.35 and later will not support CentOS 6.
  • The ‘make_swamp_tool’ and ‘install_tool’ utilities now support version 10.4.2 of both Parasoft C/C++test and Parasoft Jtest.
  • The deprecated RevealDroid, ruby-lint, and FindBugs tools will be automatically removed when upgrading to SWAMP-in-a-Box version 1.34.5.
  • We have deprecated older versions of all tools except error-prone (version 1.1.1 is still available for assessment of older Java packages). Most tools will now only have the latest version available. Older versions of tools installed with previous versions of SWAMP-in-a-Box will be removed as part of the upgrade to SWAMP-in-a-Box version 1.34.5. However, any custom add-on tools or tool versions added to a SWAMP-in-a-Box installation will not be changed by the upgrade.
  • An updated version of the Ubuntu Linux 16.04 platform is available and will be automatically installed with SWAMP-in-a-Box 1.34.5.
  • Updated versions of the CentOS 7.4 and Scientific 7.4 platforms are available. They can be downloaded and installed as an add-on to SWAMP-in-a-Box. Download from: Refer to the SWAMP-in-a-Box Administrator Manual for instructions on adding a Platform.
  • SWAMP-in-a-Box can now be configured to store user session data in the SWAMP database. When thus configured, SWAMP provides administrators with a means of filtering the Review Accounts page to show only users who are currently signed in. For new SWAMP-in-a-Box 1.34.5 installations this is the default configuration. Existing SWAMP-in-a-Box installations that are upgraded to 1.34.5 will still be configured to store session data either in cookies or in the web server file system. To change this configuration, set the ‘SESSION_DRIVER’ parameter equal to ‘database’ in ‘/var/www/swamp-web-server/.env’. Additional information is available in section 1.6 of the SWAMP-in-a-Box Reference Manual.
  • We upgraded the version of the Marionette framework used by the SWAMP web front end to Marionette version 4.1.2.

Let us know if you have any questions at

Updates to BugInjector Test Cases in SWAMP

Updates to the BugInjector test cases are now available in the SWAMP! Visit, click on the Resources tab, and click on the Packages link for a list of publicly available packages for testing. There are 11 BugInjector packages for C/C++, each containing hundreds of different versions with injected CWEs, or known weaknesses. After selecting a package version containing a CWE of interest, run an assessment of the chosen “bug injected” software using one or more software assurance tools in the SWAMP.

For more information about BugInjector, view the press release.


SWAMP Maintenance: Tuesday, June 11, 2019 10am-2pm Central

SWAMP Maintenance Notification:

Tomorrow, Tues. June 11th, between 10:00 AM and 2:00 PM Central Time, the SWAMP website ( will experience a brief outage for routine maintenance. During this outage, updates to the SWAMP will be occurring, including general enhancements, bug fixes, and performance improvements.

Let us know if you have any questions at

SWAMP Update 1.34.3

The following SWAMP updates are now available for and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.3 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • A new version of the PHPMD tool for scripting languages (PHP) is available: version 2.6.0-swamp. This version includes a custom patch for a bug in the tool that prevents assessment of some packages.
  • A new version of the Flow tool for scripting languages (JavaScript) is available: version 0.98.0.
  • A new version of the SpotBugs tool for Java is available: version 3.1.12.
  • A new version of the error-prone tool for Java is available: version 2.3.1.
  • A new version of the checkstyle tool for Java is available: version 8.20.
  • We have improved the performance of the proxy used to connect to Code Dx web servers in viewer VMs.

Let us know if you have any questions at

Secure Your Software with SWAMP

SWAMP Secure Your Software Gear Logo


What’s hiding in your code?

Discover bad coding practices, bugs, weaknesses, and vulnerabilities by scanning your own software or software that you’d like to use in the SWAMP. There are two ways to use the SWAMP: the ready-to-use cloud computing platform at or by downloading the SWAMP-in-a-Box (SiB) open-source distribution. SWAMP also has a Java command line interface, a GitHub webhook, and plugins for Jenkins, Eclipse, and Git/SVN.

Use the SWAMP in 3 simple steps:

1) Upload a package.
2) Run assessments.
3) View results.

SWAMP Update 1.34.2

The following SWAMP updates are now available for and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.2 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • Improvements to the SWAMP’s Native Results Viewer.
    • The weaknesses shown can now be filtered by bug type.
    • The locations of weaknesses within the affected code files are shown. Specifically, each weakness listed provides a link to a page showing the code file in which that weakness is located with the specific line of code flagged. Additionally, the Native Viewer has a tree view of the files and directories included in the package archive and provides a count of weaknesses per file and a code view of files with all weaknesses flagged.
  • General enhancements and bug fixes for SWAMP-in-a-Box.
    • SWAMP-in-a-Box user sign-in works when using an Active Directory server with multiple, hierarchical DNs (distinguished names).
    • SWAMP-in-a-Box assessments run for users where the user_uid includes an “@” character, which happens when SWAMP-in-a-Box uses an LDAP/AD server for user authentication and the SWAMP User ID maps to an LDAP/AD attribute that has values containing an “@”.
    • You can now specify when the SWAMP layout cookie expires in number of days. Use an integer value for cookie.expires in the web front end configuration file (/var/www/html/config/config.json).
    • The SWAMP-in-a-Box web server no longer includes access-control related headers in responses if the APP_CORS_URL is the same as APP_URL in the .env configuration file (/var/www/swamp-web-server/.env).
    • The upgrade script has been updated to prevent problems with a SWAMP-in-a-Box install not including tool metadata records. When creating an assessment, platforms can now be selected for individual tools.

Let us know if you have any questions at

« Older Entries