Open Source Software
The Software Assurance Marketplace (SWAMP) is committed to advancing the state of cybersecurity and improving the resilience of the open-source software relied upon throughout the software community. As such, the software produced by the SWAMP team is available on GitHub for review and download.
SWAMP-in-a-Box (SiB) is an on-premise or local instance of the SWAMP. More information can be found on the SWAMP-in-a-Box page and on GitHub. The code and ready-to-install version are available from our SWAMP-in-a-Box download server or on GitHub.
The SWAMP offers several plug-ins to integrate into your software development lifecycle and to support continuous integration. These plug-ins allow assessments with any of the tools supported by the SWAMP. Results can be viewed directly in the SWAMP, or for Eclipse and Jenkins, directly within the product. Instructions for installation and configuration can be found on GitHub.
This plug-in allows Java and C/C++ Eclipse users to perform static code assessments in the SWAMP and to view the results within the Eclipse Integrated Development Environment. The plug-in can be found in the Eclipse Marketplace as SWAMP Eclipse Plug-in or on GitHub.
Git and Subversion
This script is a Git and Subversion hook. Any commit or push of a new version will upload that version of code in the SWAMP. Results are viewable from the SWAMP website.
This plug-in allows projects using Jenkins to perform static code assessments in the SWAMP as part of a build. Trend data and results are viewable directly in Jenkins. The plug-in can be found in the Jenkins Plugins Index or on GitHub.
The SWAMP runs software assurance tools and converts the results of each tool into a common format called SCARF (SWAMP Common Assessment Result Format). The scarf-db program uploads SCARF results into a NoSQL database (MongoDB) or SQL databases (PostgreSQL, MySQL, MariaDB, or SQLite3).
The SWAMP runs software assurance tools and converts the results of each tool into a common format called SCARF (SWAMP Common Assessment Result Format). The scarf-io repository contains a set of libraries that allows a client to read and write SCARF data from programs written in Perl, Python, C, C++, and Java (read-only). SCARF is an XML-based file format, but an experimental JSON file format is supported.
The Java CLI is a Java library and a command line interface that provides many common operations to a SWAMP instance. These include getting a list of projects, packages, versions of packages, assessments, tools, and platforms. Users can also create packages, upload new versions of a package, configure and start an assessment, check the status of an assessment, and download SCARF results.
Assessment frameworks are responsible for the providing all of the necessary files to a virtual machine in order to successfully build and assess software in the SWAMP. The below frameworks are used for each of the programming languages currently supported in the SWAMP.
The C-assess framework enables assessments of C/C++ software packages in the SWAMP. It has build monitoring capabilities to monitor builds that use Make, Cmake, or any other build systems, and it runs the software assurance tools with the exact files and options used during the build step.
The Java-assess framework enables assessments of Java software packages in the SWAMP. It has build monitoring capabilities to monitor builds that use the following build systems: Apache Ant, Apache Maven, and Apache Gradle. It also enables the analysis of Java bytecode packages and Java packages that do not use any build system in the SWAMP.
The Ruby-assess framework enables assessments of Ruby software packages in the SWAMP. It helps to analyze ruby source packages that use the following build systems: bundler+rake, bundler+other, rake, and other. It can also analyze Ruby gems.
The SWAMP Result Parser is a program that converts results for all the tools supported in the SWAMP from their native tool output to the SWAMP Common Assessment Result Format (SCARF).