Category Archives: Open Source

SWAMP Update 1.34.5

The following SWAMP updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.5 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • A new version of the ESLint tool for assessing Web Scripting packages that contain JavaScript is available: version 6.4.0.
  • A new version of the PMD tool for assessing Java packages is available: version 6.14.0.
  • New versions of the Parasoft C/C++test and Jtest tools for assessing C/C++ and Java packages are available: version 10.4.2.
  • We have deprecated the RevealDroid tool for assessing Android .apk packages.
  • We have deprecated the ruby-lint tool for assessing Ruby packages.
  • We have deprecated the FindBugs tool for assessing Java packages. It is superseded by SpotBugs.
  • We have deprecated older versions of most tools.
  • The CentOS 7.4 and Scientific Linux 7.4 platforms now include updated dependencies and cmake3. The Ubuntu Linux 16.04 platform includes updated dependencies.
  • SWAMP’s Native results viewer now displays weaknesses on the List tab grouped by File. Weaknesses displayed on the List tab include links to open a new page displaying the code for a specific File at a specific Line number, with weaknesses flagged.
  • General enhancements and bug fixes.

Changes specific to SWAMP-in-a-Box include:

  • Support for SWAMP-in-a-Box on CentOS 6 will end with the 1.34.x release series. SWAMP-in-a-Box version 1.35 and later will not support CentOS 6.
  • The ‘make_swamp_tool’ and ‘install_tool’ utilities now support version 10.4.2 of both Parasoft C/C++test and Parasoft Jtest.
  • The deprecated RevealDroid, ruby-lint, and FindBugs tools will be automatically removed when upgrading to SWAMP-in-a-Box version 1.34.5.
  • We have deprecated older versions of all tools except error-prone (version 1.1.1 is still available for assessment of older Java packages). Most tools will now only have the latest version available. Older versions of tools installed with previous versions of SWAMP-in-a-Box will be removed as part of the upgrade to SWAMP-in-a-Box version 1.34.5. However, any custom add-on tools or tool versions added to a SWAMP-in-a-Box installation will not be changed by the upgrade.
  • An updated version of the Ubuntu Linux 16.04 platform is available and will be automatically installed with SWAMP-in-a-Box 1.34.5.
  • Updated versions of the CentOS 7.4 and Scientific 7.4 platforms are available. They can be downloaded and installed as an add-on to SWAMP-in-a-Box. Download from: https://platform.swampinabox.org/platform-images/1.34_and_later/. Refer to the SWAMP-in-a-Box Administrator Manual for instructions on adding a Platform.
  • SWAMP-in-a-Box can now be configured to store user session data in the SWAMP database. When thus configured, SWAMP provides administrators with a means of filtering the Review Accounts page to show only users who are currently signed in. For new SWAMP-in-a-Box 1.34.5 installations this is the default configuration. Existing SWAMP-in-a-Box installations that are upgraded to 1.34.5 will still be configured to store session data either in cookies or in the web server file system. To change this configuration, set the ‘SESSION_DRIVER’ parameter equal to ‘database’ in ‘/var/www/swamp-web-server/.env’. Additional information is available in section 1.6 of the SWAMP-in-a-Box Reference Manual.
  • We upgraded the version of the Marionette framework used by the SWAMP web front end to Marionette version 4.1.2.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Update 1.34.3

The following SWAMP updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.3 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • A new version of the PHPMD tool for scripting languages (PHP) is available: version 2.6.0-swamp. This version includes a custom patch for a bug in the tool that prevents assessment of some packages.
  • A new version of the Flow tool for scripting languages (JavaScript) is available: version 0.98.0.
  • A new version of the SpotBugs tool for Java is available: version 3.1.12.
  • A new version of the error-prone tool for Java is available: version 2.3.1.
  • A new version of the checkstyle tool for Java is available: version 8.20.
  • We have improved the performance of the proxy used to connect to Code Dx web servers in viewer VMs.

Let us know if you have any questions at support@continuousassurance.org.

Secure Your Software with SWAMP

SWAMP Secure Your Software Gear Logo

 

What’s hiding in your code?

Discover bad coding practices, bugs, weaknesses, and vulnerabilities by scanning your own software or software that you’d like to use in the SWAMP. There are two ways to use the SWAMP: the ready-to-use cloud computing platform at mir-swamp.org or by downloading the SWAMP-in-a-Box (SiB) open-source distribution. SWAMP also has a Java command line interface, a GitHub webhook, and plugins for Jenkins, Eclipse, and Git/SVN.

Use the SWAMP in 3 simple steps:

1) Upload a package.
2) Run assessments.
3) View results.

SWAMP Update 1.34.2

The following SWAMP updates are now available for mir-swamp.org and SWAMP-in-a-Box. The latest SWAMP-in-a-Box version 1.34.2 files can be obtained from the download server or GitHub.

Noteworthy changes include:New

  • Improvements to the SWAMP’s Native Results Viewer.
    • The weaknesses shown can now be filtered by bug type.
    • The locations of weaknesses within the affected code files are shown. Specifically, each weakness listed provides a link to a page showing the code file in which that weakness is located with the specific line of code flagged. Additionally, the Native Viewer has a tree view of the files and directories included in the package archive and provides a count of weaknesses per file and a code view of files with all weaknesses flagged.
  • General enhancements and bug fixes for SWAMP-in-a-Box.
    • SWAMP-in-a-Box user sign-in works when using an Active Directory server with multiple, hierarchical DNs (distinguished names).
    • SWAMP-in-a-Box assessments run for users where the user_uid includes an “@” character, which happens when SWAMP-in-a-Box uses an LDAP/AD server for user authentication and the SWAMP User ID maps to an LDAP/AD attribute that has values containing an “@”.
    • You can now specify when the SWAMP layout cookie expires in number of days. Use an integer value for cookie.expires in the web front end configuration file (/var/www/html/config/config.json).
    • The SWAMP-in-a-Box web server no longer includes access-control related headers in responses if the APP_CORS_URL is the same as APP_URL in the .env configuration file (/var/www/swamp-web-server/.env).
    • The upgrade script has been updated to prevent problems with a SWAMP-in-a-Box install not including tool metadata records. When creating an assessment, platforms can now be selected for individual tools.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Update 1.34.1

SWAMP-in-a-Box version 1.34.1 is now available! The latest files can be obtained from the SWAMP-in-a-Box download server now or found on GitHub in the next few days.

Noteworthy changes include:New

  • SWAMP-in-a-Box now supports Code Dx version 3.5.5 to view results. You must obtain Code Dx separately from Code Dx, Inc. Please refer to the SWAMP-in-a-Box Administrator Manual for details on how to install Code Dx as an additional results viewer. If you have added Code Dx 2.8.3 to an existing SWAMP-in-a-Box installation, adding Code Dx 3.5.5 will automatically replace the older version with Code Dx 3.5.5.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP-in-a-Box Update 1.34

SWAMP-in-a-Box version 1.34 is now available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess. Python 3.4 is now installed as an OS dependency for SWAMP-in-a-Box; this is required for the analysis of uploaded .NET packages to determine which .NET projects can be assessed on a Linux platform.
  • We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1. These tools are automatically deployed on SWAMP-in-a-Box.
  • GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
  • A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
  • Assessments of Android Java Source and Android .APK packages can be enabled in SWAMP-in-a-Box. To do so, download and install as an add-on the Android Ubuntu platform image. (It is quite large.) When that platform is added, the Android Java Source and Android .APK package types are enabled. Android specific tools are installed with SWAMP-in-a-Box 1.34, but they cannot be used for assessments until the Android Ubuntu platform is added.
  • SWAMP packages can now be generated via an External URL that points to a downloadable archive.
  • For users who are in multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project when adding new assessments.
  • HTCondor is now configured to preempt an assessment or metric run to create a slot for a Code Dx viewer run when all slots are in use.
  • An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.34.
  • The platform image files for all SWAMP platforms have been updated to provide a workaround for a bug in guestfish version 1.38 (https://bugzilla.redhat.com/show_bug.cgi?id=1661038). SWAMP 1.34 is required to run VMs with the new platforms, which have a date in the filename of 2019 or later. SWAMP 1.34 is compatible with pre-2019 versions of platforms; however, pre-2019 platforms will not currently work with guestfish 1.38 (which is distributed with the latest CentOS 7). If you are running a SWAMP-in-a-Box in CentOS 7, you should upgrade to SWAMP-in-a-Box 1.34 and upgrade any additional platforms you have installed as add-ons.
  • There is now a script available to restore a database backup (made as part of the SWAMP-in-a-Box upgrade process). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • You can now configure SWAMP-in-a-Box to display a custom welcome message on the home page (not signed-in). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • We updated the SWAMP configuration for all available versions of the Flake8 assessment tool. This allows Flake8 to be configured in a SWAMP-in-a-Box environment. Specifically, parameters can be set in the services.conf file for the SWAMP to enable checks, disable checks, and set the max-line-length for line length checks.
  • We changed the way the web front-end for SWAMP-in-a-Box identifies the corresponding web server. Specifically, the web server configured in /var/www/html/config/config.json is now a relative path instead of an absolute URL. This change affects the way the Java CLI and related SWAMP plugins connect to a SWAMP-in-a-Box API. SWAMP plugins have been updated to accommodate this change. SWAMP-in-a-Box 1.34 will only work with the following versions: Java CLI version 1.5.2 or higher; SWAMP Eclipse Plugin version 1.1.2 or higher; SWAMP Jenkins Plugin version 1.2.1 or higher.
  • The SWAMP discontinued support for the Ubuntu 10.04 assessment platform. If this platform was installed as an add-on, it will be removed when upgrading to SWAMP-in-a-Box 1.34.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

« Older Entries