Category Archives: Software Assurance

SWAMP Contributes to Standard Results Format

The SWAMP is now a participating member of the OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee! The first meeting was held on Wednesday, September 6, 2017. With the help of the SWAMP, the committee will define a standard output format for static analysis tools, otherwise known as SARIF. A standard output would make it “feasible for developers and teams to view, understand, interact with, and manage the results produced by all the tools that they use.” SARIF will support the aggregation of results from a variety of static analysis tools, similar to the way that the SWAMP uses SCARF (SWAMP Common Assessment Result Format) with results viewers today, which allows developers to form an overall picture of program quality and quickly detect problems. This collaboration is another step towards lowering the barriers for software assurance and secure coding. Learn more about SARIF by visiting https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.

Spread the Word about SWAMP!

Lines of code give life to modern technologies. As technology continues to evolve and is used by millions of people, it is increasingly important to code securely. It only takes one line of faulty code to disrupt the global economy. Luckily, the Software Assurance Marketplace is here to help. As a free to use open source resource, the SWAMP allows users to test code for vulnerabilities to ensure that all code being used is free of errors.

SWAMP users from Germany, the UK, Paraguay, India, Canada, Italy, the Netherlands, and many other countries are committed to the safety, security, and stability of software around the world. Join them in the fight for secure code! Spread the word about the SWAMP to help us promote software assurance! Learn more, call others to action, and leave comments across our social media platforms!

SWAMP-in-a-Box Update 1.30.114

We have released an update to SWAMP-in-a-Box (SiB) version 1.30. SiB release v1.30.114 contains a few bug fixes and a patch to allow the SWAMP plug-ins to work with SiB. If you have already downloaded or installed SiB v1.30 (v1.30.113), you are not required to download the latest update unless you would like to use the SWAMP plug-ins with your SiB instance.

The updated SWAMP-in-a-Box v1.30.114 is now available for download here or on GitHub. Note that you may still see the version reflected as 1.30, as not all files received the updated 1.30.114 version number, but all appropriate files have been updated.

Let us know if you have any questions at sib@continuousassurance.org.

New MIR-SWAMP Updates

You can now find the following updates on mir-swamp.org! New

  • You can now change your SWAMP username when editing your profile page.
  • You can now add Application Passwords to your SWAMP account. These passwords can be used with the SWAMP plug-ins for Eclipse and Jenkins to allow you to connect to the SWAMP without using your main password.
  • Java 8 is now the default Java version when creating new Java source and Java bytecode packages.
  • The SWAMP now uses the “recursive” option to include linked sub-modules when pulling code from GitHub to create a new package or when adding a new package version.
  • The Native viewer for assessment results now includes information about the package, tool, and platform used, along with start and completion times, for the assessment.
  • We added new versions and/or updates for the following assessment tools: Android lint, Brakeman, Dawn, Reek, RuboCop, and ruby-lint.
  • We added support for newer versions of the Android SDK on the platform for building and assessing Android software packages.
  • SWAMP-in-a-Box v1.30 is available.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP-in-a-Box Update 1.30

SWAMP-in-a-Box version 1.30 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • SWAMP-in-a-Box can now be configured to use an LDAP or LDAP-compatible Active Directory server for managing user accounts.
  • SWAMP-in-a-Box can now be configured to allow GitHub, Google, and CILogon accounts to be linked to SWAMP user accounts, allowing users to sign into the SWAMP using their third-party credentials.
  • The GrammaTech CodeSonar tool for assessing C/C++ packages can now be added to a SWAMP-in-a-Box installation. You must license CodeSonar and obtain either the 32-bit or 64-bit installers for CodeSonar separately from GrammaTech, Inc.
  • SWAMP users can now add Application Passwords to their SWAMP accounts. These passwords can be used with the SWAMP plugins for Eclipse and Jenkins to allow them to connect to the SWAMP without using the users’ main passwords.
  • Java 8 is now the default Java version when creating new Java source and Java bytecode packages.
  • The SWAMP now uses the “recursive” option to include linked sub-modules when pulling code from GitHub to create a new package or when adding a new package version.
  • The Native viewer for assessment results now includes information about the package, tool, and platform used, along with start and completion times, for the assessment.
  • SWAMP users can now change their SWAMP username when editing their profile page.
  • Added new versions and/or updates for the following assessment tools: Brakeman, Dawn, Reek, RuboCop, and ruby-lint.
  • The SWAMP-in-a-Box install and upgrade scripts now configure the web server (Apache) to disallow HTTP connections. The SWAMP must be accessed using HTTPS.
  • The SWAMP-in-a-Box install and upgrade scripts no longer attempt to configure firewall settings on the host. Required configuration is now documented in the `README-BUILD-SERVER.md` file that is included with the SWAMP-in-a-Box installer.
  • General enhancements and bug fixes.

Let us know if you have any questions at sib@continuousassurance.org.

SWAMP is at OSCON 2017!

If you are in Austin, TX this week for OSCON 2017, the SWAMP Team wants to see you! If you still need to register for the conference, use our discount code, SWAMP25, to save 25% on your admission.

Visit the Software Assurance Marketplace in Booth #518 on May 10th and 11th! We will be demoing our new plug-ins along with the newest features in SWAMP-in-a-Box.

Several SWAMP team members will also be giving presentations during the conference:

Read more about the SWAMP’s activities here.

OSCON 2017 Exhibiting Banner

End of RHEL 6.7 Support in SWAMP

On May 15, 2017, RHEL 6.7 will be removed from the SWAMP for use as an assessment platform for C and C++ packages. CentOS and Scientific Linux will continue to be supported and can be used as a replacement for RHEL (list of supported platforms in SWAMP). Results from previous assessments using RHEL 6.7 will still be viewable. If you have concerns about this change, contact us at support@continuousassurance.org.

« Older Entries