Open Source Software

The Software Assurance Marketplace (SWAMP) is committed to advancing the state of cybersecurity and improving the resilience of the open-source software relied upon throughout the software community. As such, the software produced by the SWAMP team is available on GitHub for review and download.

SWAMP-in-a-Box

SWAMP-in-a-Box (SiB) is an on-premise or local instance of the SWAMP. More information can be found on the SWAMP-in-a-Box page and on GitHub. The code and ready-to-install version are available from our SWAMP-in-a-Box download server or on GitHub.

https://github.com/mirswamp/deployment

Plug-Ins

The SWAMP offers several plug-ins to integrate into your software development lifecycle and to support continuous integration. These plug-ins allow assessments with any of the tools supported by the SWAMP. Results can be viewed directly in the SWAMP, or for Eclipse and Jenkins, directly within the product. Instructions for installation and configuration can be found on GitHub.

Eclipse

This plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and to view the results within the Eclipse Integrated Development Environment. The plug-in can be found in the Eclipse Marketplace as SWAMP Eclipse Plug-in or on GitHub.

https://github.com/mirswamp/swamp-eclipse-plugin

Git and Subversion

This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.

https://github.com/mirswamp/swamp-scms-plugin

Jenkins

This plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Trend data and results are viewable directly in Jenkins. The plug-in can be found in the Jenkins Plugins Index or on GitHub.

https://github.com/mirswamp/swamp-jenkins-plugin

Scarf-db

The SWAMP runs software assurance tools and converts the results of each tool into a common format called SCARF (SWAMP Common Assessment Result Format). The scarf-db program uploads SCARF results into a NoSQL database (MongoDB) or SQL databases (PostgreSQL, MySQL, MariaDB, or SQLite3).

https://github.com/mirswamp/swamp-scarf-db

Scarf-io

The SWAMP runs software assurance tools and converts the results of each tool into a common format called SCARF (SWAMP Common Assessment Result Format). The scarf-io repository contains a set of libraries that allows a client to read and write SCARF data from programs written in Perl, Python, C, C++, and Java (read-only). SCARF is an XML-based file format, but an experimental JSON file format is supported.

https://github.com/mirswamp/swamp-scarf-io

Java CLI

The Java CLI is a Java library and a command line interface that provides many common operations to a SWAMP instance. These include getting a list of projects, packages, versions of packages, assessments, tools, and platforms. Users can also create packages, upload new versions of a package, configure and start an assessment, check the status of an assessment, and download SCARF results.

https://github.com/mirswamp/java-cli

Assessment Frameworks

Assessment frameworks are responsible for the providing all of the necessary files to a virtual machine in order to successfully build and assess software in the SWAMP. The below frameworks are used for each of the programming languages currently supported in the SWAMP.

C/C++

The C-assess framework enables assessments of C/C++ software packages in the SWAMP. It has build monitoring capabilities to monitor builds that use Make, Cmake, or any other build systems, and it runs the software assurance tools with the exact files and options used during the build step.

https://github.com/mirswamp/c-assess

Java

The Java-assess framework enables assessments of Java software packages in the SWAMP. It has build monitoring capabilities to monitor builds that use the following build systems: Apache Ant, Apache Maven, and Apache Gradle. It also enables the analysis of Java bytecode packages and Java packages that do not use any build system in the SWAMP.

https://github.com/mirswamp/java-assess

Ruby

The Ruby-assess framework enables assessments of Ruby software packages in the SWAMP. It helps to analyze ruby source packages that use the following build systems: bundler+rake, bundler+other, rake, and other. It can also analyze Ruby gems.

https://github.com/mirswamp/ruby-assess

Python, PHP, JavaScript, HTML, CSS, XML

The script-assess framework enables assessments of Python, PHP, JavaScript, HTML, CSS, and XML software packages in the SWAMP. It helps to analyze the following packages types or build systems: npm (Javascript), composer (PHP), pear (PHP), wheels (Python), setuptools (Python), and packages that do not use any build system in the SWAMP.

https://github.com/mirswamp/script-assess

Result Parser

The SWAMP Result Parser is a program that converts results for all the tools supported in the SWAMP from their native tool output to the SWAMP Common Assessment Result Format (SCARF).

https://github.com/mirswamp/resultparser