Category Archives: Software Assurance

SWAMP SCMS Plug-In Update

The SWAMP’s plug-in for SCMS (source control management systems) was updated recently. The 1.3 release makes the plug-in easier to use and increases stability and correctness. The 1.3.3 version contains bug fixes. Noteworthy changes are listed below. More information about our plug-ins ( can be found on our website.

SCMS plug-in versions 1.3 and 1.3.3:

  1. Added complete verification of the entire plug-in configuration through enhancement of the –verify option. Always run the uploader with –verify after making configuration changes to verify that everything is correct. If it can’t pass –verify, the configuration will not work.
  2. Support for newer SWAMPs with os-ver-bits platform names.
  3. Java used by the plug-in can be configured in the plug-in config file; this allows development with java which is not compatible with the swamp-cli used by the SCMS plug-in.
  4. Added update capabilities to the installer to update current and already installed plug-ins to a newer version. Any changed “config” files will be installed with a “.instnew” extension so it is easy to manually diff and configure existing config files.
  5. Installer updated to allow login and querying of information from a SWAMP to assist in configuring the plug-in.
  6. Extensive notes and examples added to the default configuration file.
  7. Global config and credential files are no longer installed by default unless the –global option is added.
  8. New swamp-java-cli 1.3.3 added to plug-in.
  9. updated.
  10. General enhancements and bug fixes.

SWAMP Plug-Ins Update

The SWAMP’s open source software and plug-ins for Eclipse and Jenkins were updated recently. Noteworthy changes are listed below. More information about our plug-ins ( and open source software ( can be found on our website.

Eclipse plug-in version 1.0.5:

  1. Fixed a bug that was causing executable bits in the file permissions to not be preserved in the uploaded archives
  2. Fixed a bug that causes results to not be displayed for tools that don’t have bugGroup
  3. Enhanced to use the new platform names that were introduced in SWAMP version 1.31

Jenkins plug-in version 1.0.5:

  1. Enhanced to use the new platform names that were introduced in SWAMP version 1.31
  2. Enhanced assessment status reporting on the console
  3. Fixed a bug that was causing intermittent logouts from SWAMP

Java-cli version 1.3.1:

  1. Added documentation and javadoc for SwampApiWrapper
  2. Added -—quiet Mode for each sub-command
  3. UUID is now printed as the first segment in the output; this should make automation easier.
  4. Changed —-XXX-name options for various sub-commands, now renamed to —name
  5. The undocumented 1.2 version was deprecated.

New updates for

You can now find the following updates on! New

  • Synopsys Static Analysis (Coverity) is now available for assessing C/C++ packages. You must request and receive permission to use this tool and agree to the EULA.
  • We removed from a number of workflows unnecessary pop up notifications affirming that the SWAMP has completed a requested action.
  • To accommodate packages with lengthy build parameters, we’ve increased the number of characters allowed for the Configuration and Build settings for new and existing Packages and Package Versions.
  • Project Ownership permission is no longer required to create and manage SWAMP projects.
  • The Run New Assessments page no longer displays the fields for Tool and Platform selection until you have selected a Package. Note that Platform selection is only available for C/C++ packages.
  • “Latest” is no longer an option for the Platform Version of a new assessment. Instead, the current most recent version is selected by default. When new Platform versions are made available, you will need to create new assessments specifically for those new versions.
  • You can now stop an assessment run in progress. The Assessment Status page displays a “Kill Assessment” button for assessments that are still in the HTCondor queue. The SWAMP removes the corresponding job from the Condor Queue, causing any VM to shut down. The status of the assessment is updated to “Terminated.” Note that it takes approximately 25 seconds for the termination process to complete.
  • Email notifications for completed assessments now correctly report their status as success or failed.
  • The Error Report page for assessments that have “finished with errors” now includes a link to the “Status.out and Debugging SWAMP Failures FAQ” documentation providing information for interpreting assessment errors.
  • Assessments using Android Lint are now displayed in the Native viewer.
  • We added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, PMD, Findbugs, XML lint.
  • The CentOS 5.11 and Scientific Linux 5.11 platforms are no longer supported.
  • SWAMP-in-a-Box v1.31 is available.
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP-in-a-Box Update 1.31

SWAMP-in-a-Box version 1.31.151 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • Synopsys Static Analysis (Coverity), a tool for assessing C/C++ packages, can now be added to a SWAMP-in-a-Box installation. You must license Synopsys Static Analysis and obtain either the 32-bit or 64-bit tool archive files separately from Synopsys, Inc.
  • Documentation for SWAMP-in-a-Box has been reorganized into an Administrator Manual and a Reference Manual. Each comes as a PDF and HTML document, which can be found in `/opt/swamp/doc` on the SWAMP-in-a-Box host.
  • New versions of the CentOS and Scientific Linux 6.7 (32-bit and 64-bit) assessment platforms are available. If any of these platforms were previously installed as an add-on, we recommend you download and install the updated versions.
  • The CentOS and Scientific Linux 5.11 (32-bit and 64-bit) assessment platforms are no longer supported. If any of these platforms were previously installed as an add-on, they will be removed as part of the upgrade to SWAMP-in-a-Box 1.31.
  • Added new versions and/or updates for the following assessment tools: Checkstyle, error-prone, Findbugs, PMD, and XML Lint.
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP Plug-Ins for Eclipse, Git/SVN, Jenkins

Make sure you are taking advantage of everything the SWAMP has to offer! The SWAMP has created a variety of plug-ins to integrate into the software development lifecycle and to support continuous integration. The SWAMP’s plug-ins are open-source and can connect to the SWAMP site or to your own SWAMP-in-a-Box. Find them here:

  • Eclipse: The Eclipse plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and view the results within the Eclipse Integrated Development Environment (IDE).
  • Git and Subversion: This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
  • Jenkins: The Jenkins plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Results and trend data can be viewed on the SWAMP website or directly in Jenkins.

Tips for Using the SWAMP

Make sure you are taking advantage of everything the SWAMP has to offer! The Software Assurance Marketplace provides a large variety of static analysis tools and an integrated results viewer designed to highlight weaknesses and vulnerabilities in software. Guarantee that the code you write or the code that you intend to use is secure by perfecting use of the SWAMP.

  • Packages: The packages page allows you to upload files containing your code or link to a code repository to be assessed. The SWAMP will walk you through providing information to build the software. The SWAMP supports a variety of programming languages.
  • Assessments: The assessments page is where you set up an assessment to evaluate your software. Choose a software package, one or more static analysis tools, and a platform. Assessments can be run on a scheduled basis to periodically check your code to make sure that it remains secure.
  • Results: The results page allows you to view the results of an assessment run on a software package using one or more tools on a particular platform. By choosing the CodeDx results viewer, you can view the output from several assessments on the same software package and compare the results found by the different tools.
  • Runs: The runs page shows all of your recurring or scheduled assessment runs. Make sure your software is continuously assured by maintaining scheduled runs.
  • Projects: Projects allow you to collaborate with other SWAMP users. Create a new project and invite others to join. Share a package with a project so others can view the software and assessment results.

SWAMP Contributes to Standard Results Format

The SWAMP is now a participating member of the OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee! The first meeting was held on Wednesday, September 6, 2017. With the help of the SWAMP, the committee will define a standard output format for static analysis tools, otherwise known as SARIF. A standard output would make it “feasible for developers and teams to view, understand, interact with, and manage the results produced by all the tools that they use.” SARIF will support the aggregation of results from a variety of static analysis tools, similar to the way that the SWAMP uses SCARF (SWAMP Common Assessment Result Format) with results viewers today, which allows developers to form an overall picture of program quality and quickly detect problems. This collaboration is another step towards lowering the barriers for software assurance and secure coding. Learn more about SARIF by visiting

« Older Entries