This plugin allows you to submit SWAMP assessments during Jenkins builds. The SWAMP assessment will use open source static analysis tools to test your source code for vulnerabilities and flaws. For more information on the SWAMP, visit https://continuousassurance.org For more information on Jenkins, visit https://jenkins.io/
The usage of this plugin requires the following:
-
A functional instance of Jenkins.
If you do not have a Jenkins installation, go to https://jenkins.io to get Jenkins.
A good tutorial for how to set it up is at http://www.tutorialspoint.com/jenkins/. -
A valid SWAMP account.
We suggest that you create an Application Password for use with Jenkins.
If you do not have an account, go to https://continuousassurance.org to register.
To use the SWAMP Assessment Plugin it must first be installed using either the Jenkins plugin store, or using a .hpi file containing the plugin.
The SWAMP Jenking Plugin can be installed directly from Jenkins using the on-line plugins available within Jenkins using the following steps:
-
Go to your Jenkins URL in a web browser
-
Click Manage Jenkins → Manage Plugins
-
Click the Available tab
-
Enter SWAMP in the search field at the top right of the page
-
Click the install checkbox next to the SWAMP Plugin
-
Click the install without restart button
-
Click the Go back to the top page link
To update the SWAMP Plugin
-
Go to your Jenkins URL in a web browser
-
Click Manage Jenkins → Manage Plugins
-
Click the Updates tab
-
Enter SWAMP in the search field at the top right of the page
-
Click the install checkbox next to the SWAMP Plugin
-
Click the Download now and install after restart button
-
Click the Go back to the top page link
|
Warning
|
Reconfiguration required if updating from
1.0.x or 1.1.x versions to 1.2.x or higher.Starting |
The SWAMP Jenkins Plugin can be installed directly from Jenkins using the on-line plugins available within Jenkins using the following steps:
-
Go to your Jenkins URL in a web browser
-
Click Manage Jenkins → Manage Plugins
-
Click the Available tab
-
Enter SWAMP Plugin in the search field at the top right of the page
-
Click the install checkbox next to the SWAMP Plugin
-
Click the install without restart button
-
Click the Go back to the top page link
The SWAMP Jenkins plugin can be installed directly from SWAMP.hpi file using the following steps:
-
Aquire the SWAMP.hpi on your computer from https://github.com/mirswamp/swamp-jenkins-plugin
-
Go to your Jenkins URL in a web browser
-
Click Manage Jenkins → Manage Plugins
-
Click the Advanced tab
-
In the Upload Plugin section, click the Browse button and select the SWAMP.hpi file on your computer
-
Click the Upload button
-
Click the install without restart button
-
Click the Go back to the top page link
If you are using an SiB instance that uses a self-signed SSL/TLS certificate then, the SWAMP Jenkins plugin will fail to communicate with that SiB instance. The reason being Java’s security model by default does not allow communicating with a web-service that has a self-signed SSL/TLS certificate. To overcome this restriction, the web-service’s self-signed SSL/TLS certificate has to be added to the Java installation’s default keystore on the machine that is running the Jenkins server. The following are the instructions on how to do it:
-
Access the SiB from the web-browser and download the SiB’s self-signed certificate by following these instruction here: https://www.thesslstore.com/blog/how-to-view-ssl-certificate-details-in-chrome-56/
-
Run the following commands to add the self-signed certificate to the Java installation’s keystore:
-
Change the present working directory to your Java installation directory +
jre/lib/security/.cd $JAVA_HOME/jre/lib/security
-
Make a backup copy of the
cacertsfilecp cacerts cacerts.original
-
Add the certificate to the keystore (Assuming here that the self-signed certificate is stored on the desktop as www.sib-swamp.org.cer)
sudo keytool -importcert -alias sib-name -file ~/Desktop/www.sib-swamp.org.cer -keystore $PWD/cacerts
The SWAMP Jenkins Plugin must be configured before use. Starting version 1.1.3, SWAMP plugin uses Credentials API.
This configuration is modified on the following web interface:
-
Go to your Jenkins URL in a web browser
-
Click Manage Jenkins → Configure System
-
Scroll to the SWAMP Configuration Section (near the bottom of the configuration page), and enter the following:
| Parameter | Description |
|---|---|
Swamp URL |
URL of SWAMP web site. The default is the SWAMP public instance at https://www.mir-swamp.org. If you are using SWAMP-in-a-Box, contact your administrator for the URL to use. |
Credentials |
|
Swamp Credentials |
Select the SWAMP credentials from the drop-down list. If SWAMP credentials are not in the list, Add Credentials by clicking on Add button and choosing Jenkins (Jenkins Credentials Provider). In the Add Credentials page: 1. Choose a Domain to store SWAMP credentials. This is optional, default is Global Credentials (unrestricted). Users can create a domain to group credentials by going to Jenkins → Credentials and selecting Add Domain in the Jenkins drop-down list. 2. For Kind, Select Username with password from the drop-down list. 3. For Scope, choose Global. 4. Enter SWAMP username and password in the Username and Password text boxes. 3. In the Description textbox, enter SWAMP or any string that lets you distinguish SWAMP credentials. 4. Leave the ID text-box empty. 5. Save the credentials by clicking on the Add button. NOTE: If you use third party credential such as github to log into SWAMP then, create and use a SWAMP Application Password. |
Test Connection Button |
Use this button to validate the credentials and URL that you have entered |
Global Project Settings |
|
Default Project |
The default project to be used for each upload Can be modified in build settings |
Miscellaneous Options |
|
Verbose Mode |
Provide extra output for status updates and error checking |
-
Go to your Jenkins URL in a web browser
-
Click on the project link that you want to assess with the SWAMP
-
Click on the Configure link for the project on the left side
-
Scroll to the Post Build Actions section (or click the Post Build Actions tab)
-
Click the Add Post Build Action button and select "Swamp Assessment"
-
In the SWAMP Assessment section, fill out the data as follows:
| Parameter | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
Package Settings |
|||||||||
Package Directory |
If the main directory of your package is located in a subdirectory, enter it here. |
||||||||
Package Name |
Enter the name of your package here. This is the name that will be used in the SWAMP UI. |
||||||||
Package Version |
Enter the version string of your package. Every build should have a unique version String. The following macros may be used
If you do not update the version number each build (either using any of the above options or manually updating the version) then submissions will have the same version and be difficult to distinguish in the user interface. |
||||||||
Package Language |
The language that your package uses. |
||||||||
Build Settings |
|||||||||
Build System |
Select the build system your project uses. |
||||||||
Build Directory |
Enter a value if your software needs to build in different directory than the Package Directory. The directory is relative this the Package Directory |
||||||||
Build File |
Leave blank if using a standard build file name for the select Build System (i.e. build.xml for Ant, pom.xml for Maven, Makefile for Make) Enter a path to the file if the build file is using a non standard name. The path is relative to the Build Directory. |
||||||||
Build Target |
If building your package requires a special build target, enter it here, otherwise leave blank |
||||||||
Build Command |
If your package uses a build command other than a standard type specified by the build system enter it here. Otherwise leave blank and the command will be determined by the Build System. (Syntax is Bash) |
||||||||
Build Options |
If your package requires options to passed to the build command, enter it
here (e.g. |
||||||||
Configuration Command |
If your package requires a configuration command, enter it here. If left blank, the configuration will be called without a command. (Syntax is Bash) |
||||||||
Configuration Options |
If your package requires configuration options, enter them here similarly to the build options. |
||||||||
Clean Command |
Enter the command to clean your build.
Leave blank to use the |
||||||||
Assessment Settings |
|||||||||
Project Name |
The name of the project to use in the SWAMP. |
||||||||
Click Add to configure the Tool and Platforms to use: |
|||||||||
Tool |
Select the tool you would like to use for this assessment. |
||||||||
Platform |
Select the platform you would like to use for this assessment. |
||||||||
Output Settings |
|||||||||
Assessment Output Directory |
Places the output of the assessments from the SWAMP in this directory from the workspace. |
||||||||
When you run a build through any method (i.e. build button, git hook, etc.), the SWAMP Jenkins Plugin will send the package to the SWAMP for assessment. To view the status of your build, go to your project → build * (listed on the left hand side, pick the most recent build) → console output
Results from the assessments are viewable in Jenkins on completion. These results will be viewable in the source code, and will also be parsed into a graph. This graph is configurable by clicking the configure link beneath the graph.
Otherwise, the SWAMP web site can be used to view results of your assessments:
-
Login to the SWAMP as normal.
-
Click Results
-
Click the checkbox next to the assessment results you would like to review
-
Click View Assessment Results button
SWAMP plugin uses the http proxy settings specified on the standard jenkins interface https://wiki.jenkins.io/display/JENKINS/JenkinsBehindProxy.
Incase if you do not want the SWAMP plugin to use the http proxy, specify the SWAMP URL in the No Proxy Host section in the proxy settings.