Category Archives: Open Source

SWAMP-in-a-Box Update 1.32

SWAMP-in-a-Box version 1.32 is now available for download! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Parasoft C/C++test and Jtest version 10.3 (tools for assessing C/C++ and Java Source packages, respectively) can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and/or Jtest and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • OWASP Dependency Check version 2.1.1, a tool for assessing Java Source and Java Bytecode packages, can now be added to a SWAMP-in-a-Box installation. The tool can be configured to get National Vulnerability Database information from a server that you set up to retrieve updates on a periodic basis, or, in cases where SWAMP-in-a-Box runs without internet access, a version of the tool with static National Vulnerability Database information can be created and installed. Versions of OWASP Dependency Check bundled with previous installations of SWAMP-in-a-Box will be removed when you upgrade.
  • Spotbugs version 3.1.0 is now available for assessing Java Source Code and Java Bytecode packages. This tool is a fork of Findbugs. When you choose to run assessments for a Java package using “All” tools, a Spotbugs assessment will be generated but a Findbugs assessment will not. You can still specifically select Findbugs to generate a Findbugs assessment.
  • SWAMP now provides support for C/C++ packages that build using autotools to generate their configure files. “Autotools+Configure+Make” is now available as a Build System for C/C++ packages.
  • Assessment Completion Notification emails can now be sent from SWAMP-in-a-Box installations configured to enable outgoing SWAMP emails.
  • We’ve made improvements to the Native result viewer. Specifically, results are now spread across multiple pages. Controls are available to set the number of weaknesses shown on a page and navigate from page to page.
  • CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available. If a CentOS or Scientific Linux 6.7 platform was previously installed as an add on, we recommend you download and install these new versions.
  • SWAMP administrators can now stop Condor jobs from the Review Status page. Assessment and Metric runs are not completed and assigned a status of Terminated. Viewer runs are stopped without saving the viewer database, so any changes made in the current viewer session are lost.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP SCMS Plug-In Update

The SWAMP’s plug-in for SCMS (source control management systems) was updated recently. The 1.3 release makes the plug-in easier to use and increases stability and correctness. The 1.3.3 version contains bug fixes. Noteworthy changes are listed below. More information about our plug-ins (https://continuousassurance.org/plug-ins/) can be found on our website.

SCMS plug-in versions 1.3 and 1.3.3:

  1. Added complete verification of the entire plug-in configuration through enhancement of the –verify option. Always run the uploader with –verify after making configuration changes to verify that everything is correct. If it can’t pass –verify, the configuration will not work.
  2. Support for newer SWAMPs with os-ver-bits platform names.
  3. Java used by the plug-in can be configured in the plug-in config file; this allows development with java which is not compatible with the swamp-cli used by the SCMS plug-in.
  4. Added update capabilities to the installer to update current and already installed plug-ins to a newer version. Any changed “config” files will be installed with a “.instnew” extension so it is easy to manually diff and configure existing config files.
  5. Installer updated to allow login and querying of information from a SWAMP to assist in configuring the plug-in.
  6. Extensive notes and examples added to the default configuration file.
  7. Global config and credential files are no longer installed by default unless the –global option is added.
  8. New swamp-java-cli 1.3.3 added to plug-in.
  9. RELEASE_NOTES.md updated.
  10. General enhancements and bug fixes.

SWAMP Plug-Ins Update

The SWAMP’s open source software and plug-ins for Eclipse and Jenkins were updated recently. Noteworthy changes are listed below. More information about our plug-ins (https://continuousassurance.org/plug-ins/) and open source software (https://continuousassurance.org/open-source-software/) can be found on our website.

Eclipse plug-in version 1.0.5:

  1. Fixed a bug that was causing executable bits in the file permissions to not be preserved in the uploaded archives
  2. Fixed a bug that causes results to not be displayed for tools that don’t have bugGroup
  3. Enhanced to use the new platform names that were introduced in SWAMP version 1.31

Jenkins plug-in version 1.0.5:

  1. Enhanced to use the new platform names that were introduced in SWAMP version 1.31
  2. Enhanced assessment status reporting on the console
  3. Fixed a bug that was causing intermittent logouts from SWAMP

Java-cli version 1.3.1:

  1. Added documentation and javadoc for SwampApiWrapper
  2. Added -—quiet Mode for each sub-command
  3. UUID is now printed as the first segment in the output; this should make automation easier.
  4. Changed —-XXX-name options for various sub-commands, now renamed to —name
  5. The undocumented 1.2 version was deprecated.

SWAMP-in-a-Box Update 1.31

SWAMP-in-a-Box version 1.31.151 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • Synopsys Static Analysis (Coverity), a tool for assessing C/C++ packages, can now be added to a SWAMP-in-a-Box installation. You must license Synopsys Static Analysis and obtain either the 32-bit or 64-bit tool archive files separately from Synopsys, Inc.
  • Documentation for SWAMP-in-a-Box has been reorganized into an Administrator Manual and a Reference Manual. Each comes as a PDF and HTML document, which can be found in `/opt/swamp/doc` on the SWAMP-in-a-Box host.
  • New versions of the CentOS and Scientific Linux 6.7 (32-bit and 64-bit) assessment platforms are available. If any of these platforms were previously installed as an add-on, we recommend you download and install the updated versions.
  • The CentOS and Scientific Linux 5.11 (32-bit and 64-bit) assessment platforms are no longer supported. If any of these platforms were previously installed as an add-on, they will be removed as part of the upgrade to SWAMP-in-a-Box 1.31.
  • Added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, Findbugs, PMD, and XML Lint.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP Plug-Ins for Eclipse, Git/SVN, Jenkins

Make sure you are taking advantage of everything the SWAMP has to offer! The SWAMP has created a variety of plug-ins to integrate into the software development lifecycle and to support continuous integration. The SWAMP’s plug-ins are open-source and can connect to the SWAMP site or to your own SWAMP-in-a-Box. Find them here: https://continuousassurance.org/plug-ins/.

  • Eclipse: The Eclipse plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and view the results within the Eclipse Integrated Development Environment (IDE).
  • Git and Subversion: This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
  • Jenkins: The Jenkins plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Results and trend data can be viewed on the SWAMP website or directly in Jenkins.

SWAMP Software Is Open Source

Software from the SWAMP is open source! You may already have your own SWAMP-in-a-Box, a private/local instance of SWAMP, or our plug-ins for Eclipse, Jenkins, and Git/Subversion. But did you know that more of our software is also available on GitHub?

  • The assessment frameworks help to build and assess software in the SWAMP.
  • The results parser converts the output of software assessment tools into the SWAMP Common Assessment Result Format (SCARF).
  • Other software puts SCARF into a database.
  • Our libraries let clients read/write SCARF and perform common operations in the SWAMP.

To learn more and to review or download our code, visit the new Open Source Software page!

« Older Entries