Category Archives: Software Assurance

SWAMP-in-a-Box Update 1.32

SWAMP-in-a-Box version 1.32 is now available for download! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Parasoft C/C++test and Jtest version 10.3 (tools for assessing C/C++ and Java Source packages, respectively) can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and/or Jtest and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • OWASP Dependency Check version 2.1.1, a tool for assessing Java Source and Java Bytecode packages, can now be added to a SWAMP-in-a-Box installation. The tool can be configured to get National Vulnerability Database information from a server that you set up to retrieve updates on a periodic basis, or, in cases where SWAMP-in-a-Box runs without internet access, a version of the tool with static National Vulnerability Database information can be created and installed. Versions of OWASP Dependency Check bundled with previous installations of SWAMP-in-a-Box will be removed when you upgrade.
  • Spotbugs version 3.1.0 is now available for assessing Java Source Code and Java Bytecode packages. This tool is a fork of Findbugs. When you choose to run assessments for a Java package using “All” tools, a Spotbugs assessment will be generated but a Findbugs assessment will not. You can still specifically select Findbugs to generate a Findbugs assessment.
  • SWAMP now provides support for C/C++ packages that build using autotools to generate their configure files. “Autotools+Configure+Make” is now available as a Build System for C/C++ packages.
  • Assessment Completion Notification emails can now be sent from SWAMP-in-a-Box installations configured to enable outgoing SWAMP emails.
  • We’ve made improvements to the Native result viewer. Specifically, results are now spread across multiple pages. Controls are available to set the number of weaknesses shown on a page and navigate from page to page.
  • CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available. If a CentOS or Scientific Linux 6.7 platform was previously installed as an add on, we recommend you download and install these new versions.
  • SWAMP administrators can now stop Condor jobs from the Review Status page. Assessment and Metric runs are not completed and assigned a status of Terminated. Viewer runs are stopped without saving the viewer database, so any changes made in the current viewer session are lost.
  • General enhancements and bug fixes.

Let us know if you have any questions at

Frequently Asked Questions, Answered

“What is the SWAMP?”

“What is SWAMP-in-a-Box?”

“How does SWAMP fit into my current development process?”

“What is continuous software assurance?”

“Which programming languages and operating systems are supported?”

“What kind of static analysis code tools can be used in the SWAMP?”


For answers to these questions and more, check out the SWAMP’s Frequently Asked Questions page, also available as a PDF for download!


SWAMP and Synopsys join forces to educate the future cybersecurity workforce

December 21, 2017

Madison-based SWAMP and Synopsys join forces to educate the future cybersecurity workforce

MADISON, WI–(GlobeNewswire – December 21, 2017) –

The Software Assurance Marketplace (SWAMP) has partnered with Synopsys, an industry leader in software security and quality, to expand its suite of assurance tools in support of the academic community.

In support of educators training the next generation of software developers on secure coding practices, the SWAMP’s continuous assurance platform has added Synopsys Static Analysis (Coverity), a widely used static analysis tool produced by Synopsys, that scans C and C++, the programming languages used by more than one in five programmers worldwide. Synopsys Static Analysis (Coverity), which was recently named a Leader in The Forrester Wave: Static Application Security Testing, marks the fourth industry tool incorporated into the SWAMP’s open and accessible assurance facility. As a result of this partnership, educators can integrate Coverity into their curricula through the SWAMP at no cost.

“Synopsys Static Analysis (Coverity) is a widely respected tool in the software assurance community and is a valuable addition to the SWAMP,” says Barton Miller, University of Wisconsin-Madison professor of computer science and chief scientist of the SWAMP.

“We see a critical need to increase the workforce trained in the best practices of software security,” adds Miller. “Our partnership with Synopsys significantly furthers our efforts to reach educators and provide more trained practitioners.”

“Joining forces with Synopsys in including award-winning software assurance capabilities in our marketplace is an important step in the implementation of our vision,” says Miron Livny, SWAMP director and chief technology officer for the Morgridge Institute for Research. “Our goal at SWAMP is to establish an assurance ecosystem by incorporating a rich suite of tools, and in adding Synopsys Static Analysis (Coverity), we make a significant step in achieving this goal in support of education and cybersecurity workforce development.”

The SWAMP has a unique focus on workforce development and is partnering with universities to integrate software assurance into the curriculum. Miller says the Synopsys Static Analysis (Coverity) launch will be especially valuable to the academic community since the C and C++ languages are commonly used in educational settings. Students who are learning to code and refine their programming skills will have an additional tool to evaluate their software for errors, expanding their resources for developing dependable and secure code.

Few aspects of everyday life are not touched by software, from commerce to energy to healthcare sectors. Weaknesses in software code are the most common targets of security breaches. The SWAMP’s goal is to help eliminate those weaknesses before they are deployed and become exploited vulnerabilities by integrating effective software assessment techniques into the developer’s work cycle.

Its most important benefit to developers and educators has been providing an integrated, one-stop environment for programmers to analyze their code across a wide range of commercial and open-source tools — and providing the combined feedback in a single results viewer.

For more information about capabilities offered by the SWAMP, visit


The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance technologies and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools.


Brian Mattmiller
Morgridge Institute for Research


Press Release

SWAMP SCMS Plug-In Update

The SWAMP’s plug-in for SCMS (source control management systems) was updated recently. The 1.3 release makes the plug-in easier to use and increases stability and correctness. The 1.3.3 version contains bug fixes. Noteworthy changes are listed below. More information about our plug-ins ( can be found on our website.

SCMS plug-in versions 1.3 and 1.3.3:

  1. Added complete verification of the entire plug-in configuration through enhancement of the –verify option. Always run the uploader with –verify after making configuration changes to verify that everything is correct. If it can’t pass –verify, the configuration will not work.
  2. Support for newer SWAMPs with os-ver-bits platform names.
  3. Java used by the plug-in can be configured in the plug-in config file; this allows development with java which is not compatible with the swamp-cli used by the SCMS plug-in.
  4. Added update capabilities to the installer to update current and already installed plug-ins to a newer version. Any changed “config” files will be installed with a “.instnew” extension so it is easy to manually diff and configure existing config files.
  5. Installer updated to allow login and querying of information from a SWAMP to assist in configuring the plug-in.
  6. Extensive notes and examples added to the default configuration file.
  7. Global config and credential files are no longer installed by default unless the –global option is added.
  8. New swamp-java-cli 1.3.3 added to plug-in.
  9. updated.
  10. General enhancements and bug fixes.

SWAMP Plug-Ins Update

The SWAMP’s open source software and plug-ins for Eclipse and Jenkins were updated recently. Noteworthy changes are listed below. More information about our plug-ins ( and open source software ( can be found on our website.

Eclipse plug-in version 1.0.5:

  1. Fixed a bug that was causing executable bits in the file permissions to not be preserved in the uploaded archives
  2. Fixed a bug that causes results to not be displayed for tools that don’t have bugGroup
  3. Enhanced to use the new platform names that were introduced in SWAMP version 1.31

Jenkins plug-in version 1.0.5:

  1. Enhanced to use the new platform names that were introduced in SWAMP version 1.31
  2. Enhanced assessment status reporting on the console
  3. Fixed a bug that was causing intermittent logouts from SWAMP

Java-cli version 1.3.1:

  1. Added documentation and javadoc for SwampApiWrapper
  2. Added -—quiet Mode for each sub-command
  3. UUID is now printed as the first segment in the output; this should make automation easier.
  4. Changed —-XXX-name options for various sub-commands, now renamed to —name
  5. The undocumented 1.2 version was deprecated.

New updates for

You can now find the following updates on! New

  • Synopsys Static Analysis (Coverity) is now available for assessing C/C++ packages. You must request and receive permission to use this tool and agree to the EULA.
  • We removed from a number of workflows unnecessary pop up notifications affirming that the SWAMP has completed a requested action.
  • To accommodate packages with lengthy build parameters, we’ve increased the number of characters allowed for the Configuration and Build settings for new and existing Packages and Package Versions.
  • Project Ownership permission is no longer required to create and manage SWAMP projects.
  • The Run New Assessments page no longer displays the fields for Tool and Platform selection until you have selected a Package. Note that Platform selection is only available for C/C++ packages.
  • “Latest” is no longer an option for the Platform Version of a new assessment. Instead, the current most recent version is selected by default. When new Platform versions are made available, you will need to create new assessments specifically for those new versions.
  • You can now stop an assessment run in progress. The Assessment Status page displays a “Kill Assessment” button for assessments that are still in the HTCondor queue. The SWAMP removes the corresponding job from the Condor Queue, causing any VM to shut down. The status of the assessment is updated to “Terminated.” Note that it takes approximately 25 seconds for the termination process to complete.
  • Email notifications for completed assessments now correctly report their status as success or failed.
  • The Error Report page for assessments that have “finished with errors” now includes a link to the “Status.out and Debugging SWAMP Failures FAQ” documentation providing information for interpreting assessment errors.
  • Assessments using Android Lint are now displayed in the Native viewer.
  • We added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, PMD, Findbugs, XML lint.
  • The CentOS 5.11 and Scientific Linux 5.11 platforms are no longer supported.
  • SWAMP-in-a-Box v1.31 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP-in-a-Box Update 1.31

SWAMP-in-a-Box version 1.31.151 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • Synopsys Static Analysis (Coverity), a tool for assessing C/C++ packages, can now be added to a SWAMP-in-a-Box installation. You must license Synopsys Static Analysis and obtain either the 32-bit or 64-bit tool archive files separately from Synopsys, Inc.
  • Documentation for SWAMP-in-a-Box has been reorganized into an Administrator Manual and a Reference Manual. Each comes as a PDF and HTML document, which can be found in `/opt/swamp/doc` on the SWAMP-in-a-Box host.
  • New versions of the CentOS and Scientific Linux 6.7 (32-bit and 64-bit) assessment platforms are available. If any of these platforms were previously installed as an add-on, we recommend you download and install the updated versions.
  • The CentOS and Scientific Linux 5.11 (32-bit and 64-bit) assessment platforms are no longer supported. If any of these platforms were previously installed as an add-on, they will be removed as part of the upgrade to SWAMP-in-a-Box 1.31.
  • Added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, Findbugs, PMD, and XML Lint.
  • General enhancements and bug fixes.

Let us know if you have any questions at

« Older Entries