Category Archives: Plug-ins

Transition of SWAMP Software

beverage break breakfast brown

Photo by Pixabay on

Dear Continuous Assurance Community,

We are reaching out to inform you the SWAMP project that has been funded by the Science and Technology Directorate of the Department of Homeland Security, has ended as of 05/31/2020. This marks a significant time of transition in our ongoing commitment to advancing and promoting the methodologies of continuous software assurance. We appreciate all the support we have received throughout the eight years of the project from the software development community, our user base and our collaborators. Despite the end of the project, we remain committed to supporting, with our platform, the educational community in teaching and training continuous software assurance techniques and practices.

Over the next few weeks, we will be working on transitioning the facility to a future, sustainable model. As a part of this, we will be working on providing a new hosted service for the educational community. We will keep the continuous assurance platform on our GitHub organization, ensuring the downloads of Software assurance-in-a-Box (SiB, formerly SWAMP-in-a-Box), plugins functionality, and looking at providing hosted SiB instances on request. For users of the facility at, we will keep your data available until August 25, 2020 for download. Afterward, we will start the process of shutting down the mir-swamp endpoint and removing any account data. Please contact us if you need assistance in this process at

Again, we want to thank you for all the support and connections we made throughout the years in the software development community. Please do not hesitate to reach out to us with any questions you may have. We look forward to staying connected with you.


The SiB Team

Secure Your Software with SWAMP

SWAMP Secure Your Software Gear Logo


What’s hiding in your code?

Discover bad coding practices, bugs, weaknesses, and vulnerabilities by scanning your own software or software that you’d like to use in the SWAMP. There are two ways to use the SWAMP: the ready-to-use cloud computing platform at or by downloading the SWAMP-in-a-Box (SiB) open-source distribution. SWAMP also has a Java command line interface, a GitHub webhook, and plugins for Jenkins, Eclipse, and Git/SVN.

Use the SWAMP in 3 simple steps:

1) Upload a package.
2) Run assessments.
3) View results.

SWAMP-in-a-Box Update 1.34

SWAMP-in-a-Box version 1.34 is now available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box now supports the upload and assessment of .NET packages that can be built using msbuild on Linux. SWAMP automatically reviews Solution and .NET project files and determines which can be built using a framework that does not require Windows. Users can then select which of those .NET projects to assess. Python 3.4 is now installed as an OS dependency for SWAMP-in-a-Box; this is required for the analysis of uploaded .NET packages to determine which .NET projects can be assessed on a Linux platform.
  • We added three tools for the assessment of .NET packages on a Linux platform: Code Cracker v1.1.0, devskim 0.1.10, and Security Code Scan 2.7.1. These tools are automatically deployed on SWAMP-in-a-Box.
  • GitHub Webhooks can now be configured to update SWAMP packages. When the GitHub Webhook is triggered, a new package version will be added to an existing SWAMP package. Package parameters are copied from the previous package version and used with a new archive of package code cloned from GitHub. Users can edit package information to get the Payload URL and set the Secret Token needed to configure a GitHub Webhook to the SWAMP.
  • A new schedule is now available for use in all projects. This schedule, “On Push,” runs assessments whenever a new push to a GitHub repository triggers a GitHub Webhook to generate a new Package Version in the SWAMP. This schedule works with an assessment for the “latest” version of a package that is configured to update based on a GitHub Webhook trigger.
  • Assessments of Android Java Source and Android .APK packages can be enabled in SWAMP-in-a-Box. To do so, download and install as an add-on the Android Ubuntu platform image. (It is quite large.) When that platform is added, the Android Java Source and Android .APK package types are enabled. Android specific tools are installed with SWAMP-in-a-Box 1.34, but they cannot be used for assessments until the Android Ubuntu platform is added.
  • SWAMP packages can now be generated via an External URL that points to a downloadable archive.
  • For users who are in multiple projects, the associated project is now displayed for records on the Package, Assessments, Assessment Results, and Scheduled Assessment Runs pages. Additionally, users can specifically set the project when adding new assessments.
  • HTCondor is now configured to preempt an assessment or metric run to create a slot for a Code Dx viewer run when all slots are in use.
  • An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.34.
  • The platform image files for all SWAMP platforms have been updated to provide a workaround for a bug in guestfish version 1.38 ( SWAMP 1.34 is required to run VMs with the new platforms, which have a date in the filename of 2019 or later. SWAMP 1.34 is compatible with pre-2019 versions of platforms; however, pre-2019 platforms will not currently work with guestfish 1.38 (which is distributed with the latest CentOS 7). If you are running a SWAMP-in-a-Box in CentOS 7, you should upgrade to SWAMP-in-a-Box 1.34 and upgrade any additional platforms you have installed as add-ons.
  • There is now a script available to restore a database backup (made as part of the SWAMP-in-a-Box upgrade process). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • You can now configure SWAMP-in-a-Box to display a custom welcome message on the home page (not signed-in). Refer to the SWAMP-in-a-Box Administrator Guide for details.
  • We updated the SWAMP configuration for all available versions of the Flake8 assessment tool. This allows Flake8 to be configured in a SWAMP-in-a-Box environment. Specifically, parameters can be set in the services.conf file for the SWAMP to enable checks, disable checks, and set the max-line-length for line length checks.
  • We changed the way the web front-end for SWAMP-in-a-Box identifies the corresponding web server. Specifically, the web server configured in /var/www/html/config/config.json is now a relative path instead of an absolute URL. This change affects the way the Java CLI and related SWAMP plugins connect to a SWAMP-in-a-Box API. SWAMP plugins have been updated to accommodate this change. SWAMP-in-a-Box 1.34 will only work with the following versions: Java CLI version 1.5.2 or higher; SWAMP Eclipse Plugin version 1.1.2 or higher; SWAMP Jenkins Plugin version 1.2.1 or higher.
  • The SWAMP discontinued support for the Ubuntu 10.04 assessment platform. If this platform was installed as an add-on, it will be removed when upgrading to SWAMP-in-a-Box 1.34.
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP Plug-Ins Updates

Updates are now available for the following SWAMP plug-ins:

If a user submits an assessment with a tool that they do not have permission to use, the assessment is not submitted and an error is reported to the user.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub:

SWAMP Plug-Ins Updates

Updates are now available for the following pieces of SWAMP open-source software!

  • Java-CLI version 1.5.3
  • SWAMP-Jenkins-Plugin version 1.2.2
  • SWAMP-Eclipse-Plugin version 1.1.3

These updates address a cookie expiration issue that was impacting plug-ins used with SWAMP-in-a-Box instances that did not have the time set to current.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub:

SWAMP Security Notification: Vulnerability in SWAMP Plug-ins and Library

Dear SWAMP Users,

A MODERATE security vulnerability was discovered that affects the following versions (and earlier) of the SWAMP plug-ins and libraries on shared systems. Users who are not using any of the following plug-ins or libraries are not affected by this vulnerability.


  • swamp-scms-plugin 1.3.4 and earlier
  • swamp-eclipse-plugin 1.1.0 and earlier
  • swamp-jenkins-plugin 1.1.1 and earlier
  • java-cli 1.4.1 and earlier


When a vulnerable version of the software is run on a host by a user, it is possible for an attacker with an account on the same host to impersonate the user’s SWAMP identity and gain access to their SWAMP account. For each successful attack, the attacker will be able to impersonate the user for a maximum time period of two days.


SWAMP users using affected plugins and libraries are recommended to update to the most current versions as soon as possible if they have not done so already. The vulnerability is remediated in the following versions or later:

Please contact SWAMP staff if you have any questions or concerns at

SWAMP SCMS Plug-In Update

A new version of the SWAMP plug-in for source code management with git and Subversion is available on GitHub!
The 1.3.4 version of the swamp-scms-plugin allows assessment of web projects, supports future swamp platforms, and provides support for using a proxy to communicate with SWAMP. In addition, some query commands were added to make it easier to find values for the config file.
« Older Entries