Category Archives: SWAMP-in-a-Box

SWAMP-in-a-Box Update 1.30.114

We have released an update to SWAMP-in-a-Box (SiB) version 1.30. SiB release v1.30.114 contains a few bug fixes and a patch to allow the SWAMP plug-ins to work with SiB. If you have already downloaded or installed SiB v1.30 (v1.30.113), you are not required to download the latest update unless you would like to use the SWAMP plug-ins with your SiB instance.

The updated SWAMP-in-a-Box v1.30.114 is now available for download here or on GitHub. Note that you may still see the version reflected as 1.30, as not all files received the updated 1.30.114 version number, but all appropriate files have been updated.

Let us know if you have any questions at

SWAMP-in-a-Box Update 1.30

SWAMP-in-a-Box version 1.30 is now available for download! The latest files are on GitHub, or you can download the install files here.

Noteworthy changes include:New

  • SWAMP-in-a-Box can now be configured to use an LDAP or LDAP-compatible Active Directory server for managing user accounts.
  • SWAMP-in-a-Box can now be configured to allow GitHub, Google, and CILogon accounts to be linked to SWAMP user accounts, allowing users to sign into the SWAMP using their third-party credentials.
  • The GrammaTech CodeSonar tool for assessing C/C++ packages can now be added to a SWAMP-in-a-Box installation. You must license CodeSonar and obtain either the 32-bit or 64-bit installers for CodeSonar separately from GrammaTech, Inc.
  • SWAMP users can now add Application Passwords to their SWAMP accounts. These passwords can be used with the SWAMP plugins for Eclipse and Jenkins to allow them to connect to the SWAMP without using the users’ main passwords.
  • Java 8 is now the default Java version when creating new Java source and Java bytecode packages.
  • The SWAMP now uses the “recursive” option to include linked sub-modules when pulling code from GitHub to create a new package or when adding a new package version.
  • The Native viewer for assessment results now includes information about the package, tool, and platform used, along with start and completion times, for the assessment.
  • SWAMP users can now change their SWAMP username when editing their profile page.
  • Added new versions and/or updates for the following assessment tools: Brakeman, Dawn, Reek, RuboCop, and ruby-lint.
  • The SWAMP-in-a-Box install and upgrade scripts now configure the web server (Apache) to disallow HTTP connections. The SWAMP must be accessed using HTTPS.
  • The SWAMP-in-a-Box install and upgrade scripts no longer attempt to configure firewall settings on the host. Required configuration is now documented in the `` file that is included with the SWAMP-in-a-Box installer.
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP is at OSCON 2017!

If you are in Austin, TX this week for OSCON 2017, the SWAMP Team wants to see you! If you still need to register for the conference, use our discount code, SWAMP25, to save 25% on your admission.

Visit the Software Assurance Marketplace in Booth #518 on May 10th and 11th! We will be demoing our new plug-ins along with the newest features in SWAMP-in-a-Box.

Several SWAMP team members will also be giving presentations during the conference:

Read more about the SWAMP’s activities here.

OSCON 2017 Exhibiting Banner

End of RHEL 6.7 Support in SWAMP

On May 15, 2017, RHEL 6.7 will be removed from the SWAMP for use as an assessment platform for C and C++ packages. CentOS and Scientific Linux will continue to be supported and can be used as a replacement for RHEL (list of supported platforms in SWAMP). Results from previous assessments using RHEL 6.7 will still be viewable. If you have concerns about this change, contact us at

SWAMP Integrates Assurance Tools into the Software Continuous Lifecycle

May 2, 2017

SWAMP integrates assurance tools into the software continuous lifecycle

Moves mark a major step toward the SWAMP’s vision of continuous assurance

AUSTIN, TX–(Marketwired – May 02, 2017) – OSCON 2017 – The Software Assurance Marketplace (SWAMP) is partnering with major continuous integration systems used by software developers to make software assurance a simple and intuitive element of the development process.

The SWAMP offers a suite of plug-in modules that operate within many of the leading development lifecycle tools relied upon by code developers. Those include integrated development environments (IDEs) such as Eclipse; source code repositories such as GitHub and Subversion; and continuous integration systems such as Jenkins and Travis CI.

These environments, repositories and systems are dramatically improving software developers’ ability to manage workflow through the complex steps of designing, editing, testing and deployment. Given the increased awareness of the importance of developing safe and secure software, incorporating security tools into the continuous software process will make integration that much more efficient for developers.

“We want to ensure that someone going through the continuous integration process can take the extra step of software assurance, and just make it a natural part of the flow,” says Barton Miller, chief scientist of the SWAMP and professor of computer science at the University of Wisconsin-Madison.

“The goal is to fix security issues as soon as possible in the development cycle,” Miller adds. “Every security weakness fixed at the developer’s desktop has a trivial cost, but those same errors could cost millions to fix after release.”

With the push of a button, users in integrated development environment (IDEs) can start the testing process by having their code automatically packaged and sent to the SWAMP. The code will get analyzed across the multiple assurance tools hosted in the SWAMP and the results will be fed back into the IDE in a readable format, prioritizing flaws by level of severity.

Users with higher security thresholds can also run SWAMP analysis entirely in-house. Called “SWAMP-in-a-Box” (SiB), this free, self-contained version of continuous assurance capabilities can be installed on local servers or individual computers, addressing the need of organizations that must or prefer to keep their software assurance activities on premise.

The SWAMP employs federated identity management protocols, so users will not need distinct login credentials for using the SWAMP plugins.

To access the free SWAMP plugins, visit:

“Between the source code repositories, the IDEs and the integration frameworks, we have tried to cover the entire spectrum of software development,” says Miller. “There are almost no real-world projects that don’t use one or more of these systems.”

“This new suite of plugins is a major step in translating the continuous assurance vision of the SWAMP into accessible and easy-to-deploy technologies,” says SWAMP Director Miron Livny, UW-Madison computer scientist and director of core computational technology for the Morgridge Institute for Research.

Miller and colleague Dr. Elisa Heymann will present a tutorial — “Secure Coding Practices and Automated Assessment Tools” — on Monday, May 8 from 9 a.m. – 1:30 p.m. at the O’Reilly OSCON 2017 conference in Austin. For more information, visit:


The Software Assurance Marketplace is a joint effort of four research institutions — the Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison — to advance the capabilities and to increase the adoption of software assurance technologies through an open continuous assurance technologies and a shared facility. The SWAMP is funded by the Department of Homeland Security-Science & Technology Directorate. Services include access to 30 software assurance tools, a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their testing tools, and high throughput computing capacity.

For more information, visit


Barton Miller

Press Release

SWAMP & Secure Development for the Cloud

MISTI logoIn today’s MISTI blog post, “Secure Development for the Cloud,” author Randall Brooks mentions SWAMP and SWAMP-in-a-Box as great resources for organizations with limited funds who are looking for secure coding solutions. Incorporating many free and open-source analysis tools, the Software Assurance Marketplace offers both cloud-based and on-premises solutions for continuous software assurance. Read the full article.

Brooks will also be presenting at the upcoming 2017 InfoSec World Conference in Orlando. Session B4 “Secure Development for the Cloud” will include a bit about the SWAMP. Catch the presentation on Monday, April 3 at 2:15pm-3:05pm.

SWAMP-in-a-Box Update 1.29

SWAMP-in-a-Box version 1.29 is now available for download! The latest files are on GitHub, or you can download the install files here. Noteworthy changes include:New

  • Added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • Addition of 9 assessment tools for web scripting languages: CSS Lint (for CSS), ESLint (for JavaScript), Flow (for JavaScript), HTML Tidy (for HTML and XML), JSHint (for JavaScript or HTML files with inline JavaScript), PHPMD (for PHP), PHP_CodeSniffer (for PHP, JavaScript, and CSS), Retire.js (for JavaScript), and XML Lint (for XML).
  • Added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, and PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the local file system or enter an external URL and a checkout argument (branch, tag, or commit) for a remote Git repository.
  • Improved error reporting for assessment failures. Successful assessment runs are no longer erroneously reported as having finished with errors. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.
  • Minimum hardware requirements have increased to 4 CPU cores and 16 GB of RAM.

Let us know if you have any questions at

« Older Entries