Category Archives: SWAMP-in-a-Box

SWAMP-in-a-Box v1.33.4 Compatibility Issue

SWAMP-in-a-Box version 1.33.4 and previous versions are not compatible with the latest version of guestfish (libguestfs 1.38.2), which is included in CentOS 7.6.

Specifically, assessments will not run and results cannot be viewed in Code Dx. When running an assessment, the status “htcondor submit aborted – uuid queued” or “failed to launch” is displayed on the Assessment Results page. When attempting to view results in Code Dx, “Unable to Start VM” is displayed on the Preparing Results page.

Performing a ‘yum update’ on an existing SWAMP-in-a-Box installation on CentOS 7 will install guestfish 1.38.2. Likewise, running the ‘install-all.bash’ script to install required dependencies for a new SWAMP-in-a-Box installation on CentOS 7 will install guestfish 1.38.2.


To determine which version of guestfish is installed, run the following command:
# guestfish –version


To downgrade to a version of guestfish that is compatible with SWAMP-in-a-Box version 1.34.4, do the following:

1. Download these files and move them to your SWAMP-in-a-Box:

2. ‘cd’ to the directory containing the files downloaded above

3. Downgrade the guestfish packages to 1.36.10 (may require ‘sudo’)
# yum downgrade ./libguestfs* ./perl-Sys-Guestfs*

4. Update permission on the platforms directory (may require ‘sudo’)
# chmod 755 /swamp/platforms/images


This issue does not affect a SWAMP-in-a-Box install on CentOS 6. The version of guestfish available for CentOS 6.10 is currently version 1.20.11.

Let us know if you have any questions at

SWAMP-in-a-Box Update v1.33.4

SWAMP-in-a-Box version 1.33.4 is now available from GitHub or the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • An updated version of the Ubuntu Linux version 16.04 platform is now available and will be automatically installed with SWAMP-in-a-Box 1.33.4.
  • SWAMP-in-a-Box now automatically re-tries (up to three additional times) assessments that finish with an error related to networking. This includes assessments for which a VM does not have network connectivity or for which OS dependencies cannot be installed. In many cases, these assessments succeed on the first retry.
  • SWAMP-in-a-Box administrators can now configure which viewer is initially selected on the Assessment Results page. When SWAMP-in-a-Box 1.33.4 is installed, this configuration is set to use the Native Viewer. Note that this is only applicable if a third-party viewer has been added to SWAMP-in-a-Box.
  • Parasoft C/C++test versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft C/C++test and obtain either the 32-bit or 64-bit tool archive files separately from Parasoft.
  • Parasoft Jtest versions 10.3.4 and 10.4.0 can now be added to a SWAMP-in-a-Box installation. You must license Parasoft Jtest and obtain the 64-bit tool archive files separately from Parasoft. 
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP Plug-Ins Updates

Updates are now available for the following SWAMP plug-ins:

If a user submits an assessment with a tool that they do not have permission to use, the assessment is not submitted and an error is reported to the user.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub:

SWAMP Plug-Ins Updates

Updates are now available for the following pieces of SWAMP open-source software!

  • Java-CLI version 1.5.3
  • SWAMP-Jenkins-Plugin version 1.2.2
  • SWAMP-Eclipse-Plugin version 1.1.3

These updates address a cookie expiration issue that was impacting plug-ins used with SWAMP-in-a-Box instances that did not have the time set to current.

SWAMP plug-ins can be found in the Jenkins and Eclipse marketplaces and on GitHub:

SWAMP-in-a-Box Update v1.33.1

SWAMP-in-a-Box version 1.33.1 is now available from GitHub or the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • Updated settings for the Ubuntu 16.04 platform to reduce the frequency with which assessments fail in the Install OS Dependencies step. The new platform file, condor-ubuntu-16.04-64-master-2018012491.qcow2, will be installed automatically with a SWAMP-in-a-Box upgrade to v1.33.1.
  • Fixes to prevent Ruby assessment failures
  • When using the latest versions of the Safari web browser, you can now create a new package or package version using a GitHub URL.
  • C assessments now support the arm cross compiler.
  • Configuration options for the Clang Static Analyzer tool. Please contact SWAMP support for details.
  • The swamp_check_install script (which is run at the end of an install or upgrade, but can also be run manually) has been updated so that it no longer incorrectly reports that the mysql service is not running on CentOS 6 with a recent yum update.
  • Ability to remove Sign-Up functionality to prevent additional users from signing up.
  • Phone support is no longer available. For SWAMP-in-a-Box support, please email To report a security incident, please
  • General enhancements and bug fixes.

Let us know if you have any questions at

SWAMP-in-a-Box Update 1.33

SWAMP-in-a-Box version 1.33 is available! The latest files can be found on GitHub or obtained from the SWAMP-in-a-Box download server.

Noteworthy changes include:New

  • SWAMP-in-a-Box administrators can now configure where the SWAMP web application’s backend stores its log entries. After installing or upgrading to SWAMP-in-a-Box version 1.33, the web application’s backend will create daily log files in /var/www/swamp-web-server/storage/logs. The web application’s backend can also be configured to make log entries in the system log, which is where they were made in previous versions of SWAMP-in-a-Box. Refer to the SWAMP-in-a-Box Reference Manual for details.
  • CentOS and Scientific Linux 7 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. Any versions of GrammaTech CodeSonar and Synopsis Static Analysis (Coverity) that were previously installed will not work with these new platforms. Refer to the SWAMP-in-a-Box Administrator Manual for instructions on re-creating the SWAMP tool archives for these tools and adding them to the SWAMP.
  • Updated versions of the CentOS and Scientific Linux 6.9 (32-bit and 64-bit) assessment platforms are now available for C/C++ packages. If a CentOS or Scientific Linux 6 platform was previously installed, download and install these new versions.
  • Code Dx version 2.8.3, a viewer for analyzing the results from assessments, can now be added to a SWAMP-in-a-Box installation. You must obtain Code Dx separately from Code Dx, Inc.
  • To support SWAMP-in-a-Box installations that do not have internet access, we have updated the tool archive for retire.js version 1.2.10 to include documentation and scripts for creating a version of the tool archive that bundles vulnerability data instead of downloading it from the internet for each assessment.
  • SWAMP-in-a-Box no longer requires that the host be configured with a timezone of UTC, and the SWAMP-in-a-Box installer and upgrader no longer modifies the host’s timezone. All dates and times in the SWAMP web application are displayed in the web browser’s local time. All dates and times in log files are in the host’s local time. All dates and times stored with database records are converted to UTC.
  • SWAMP-in-a-Box now includes a script for checking the health of the installation. Refer to the Troubleshooting section of the SWAMP-in-a-Box Administrator Manual for details.
  • SWAMP users can now add a list of paths to files or directories to exclude from assessments for Python, Ruby, and Web Scripting packages. For Ruby packages, this does not apply to the tools Dawn and Brakeman, which do whole program analysis.
  • General enhancements and bug fixes.

Let us know if you have any questions at

With SWAMP-in-a-Box, Bring Your Own License and Turbo-Charge Software Assurance

February 28, 2018

With SWAMP-in-a-Box, ‘Bring Your Own License’ and turbo-charge software assurance

MADISON, WI–(GlobeNewswire – February 28, 2018) – In the drive to reduce software security flaws, the Software Assurance Marketplace (SWAMP) project has enhanced its portable platform that brings a comprehensive suite of software assurance tools to the programmer’s desktop.

This open-source SWAMP-in-a-Box (SiB) platform now integrates more than 30 tools, both open source and commercial, into a customizable, easy to deploy capability, significantly reducing the barriers to entry for using such tools.

Using multiple tools to regularly scan software is the cornerstone of continuous assurance – the practice of integrating software assurance into the continuous cycle of modern software development. As a continuous assurance platform, SiB facilitates software assessment with multiple assurance tools. The new “Bring Your Own License” model allows organizations to integrate already-purchased commercial tools into their locally deployed SWAMP-in-a-Box instance.

Organizations need only to acquire a license for the commercial tools supported by SiB or use an existing license that they have acquired. The result is hassle-free continuous assessments with the tools of their choice. “Bring Your Own License” capabilities further the SWAMP’s goal of offering a one-stop continuous assurance resource for developers throughout the software development life cycle.

“We continuously receive requests from organizations who deploy SiB to add support for additional tools,” says Miron Livny, SWAMP director and chief technology officer. “In close collaboration with vendors, we work to integrate new commercial tools while maintaining the tool-neutrality of our platform. Our goal is to make the software assurance process simpler and more effective for all parties involved in the software assurance eco-system.”

While hundreds of software assurance tools are available to the development community, the SWAMP is working to maximize its impact by forging partnerships with industry-leading tool providers. Partnerships have been established with vendors such as Parasoft, Synopsys, GrammaTech, and PRQA. The SWAMP is actively seeking new partnerships with software assurance and security tool providers in both the commercial and open-source sectors.

“The vendors provide the state of the art assurance tools; we make the tools easy to run by making them a natural part of the programmer’s workflow and helping with the best configuration settings for each,” says Bart Miller, University of Wisconsin-Madison computer scientist and chief scientist for the SWAMP. “We not only help save time, but our continuous assurance platform will also help users get the maximum benefit out of their tools by doing all the configuration work up-front.”

Whether it be small businesses or individual developers, SiB gives organizations peace of mind that the tools are properly installed, maintained, and have the latest upgrades.

The SiB continuous assurance platform is freely available. It can be easily deployed, configured on local hardware, and placed behind a firewall. This allows all assessments to be run locally or with no outside connections, increasing privacy and security for organizations with sensitive and proprietary materials.

To learn more about integrating licensed software tools with SWAMP-in-a-Box, join a free webinar on Thursday, March 8 hosted by Parasoft. This webinar will provide a case-study overview of the SWAMP’s partnership with Parasoft.

Vendors interested in partnering with the SWAMP project may contact Project Manager Irene Landrum at 608-316-4114 or Developers interested in learning more about SiB can visit:


The Software Assurance Marketplace is a joint effort of four research institutions – The Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign, and the University of Wisconsin-Madison – to advance the capabilities and to increase the adoption of software assurance technologies through open continuous assurance capabilities and a shared facility. The SWAMP project is funded by the Department of Homeland Security Science & Technology Directorate. Services include access to high throughput computing capacity, over 30 software assurance tools, and a library of more than 280 open-source code samples with known vulnerabilities to help developers improve the quality of their static and dynamic testing tools. For more information, visit


Irene Landrum
Morgridge Institute for Research


Press Release

« Older Entries Recent Entries »