The SWAMP Java CLI is a Java library and a command line interface that provides many common operation on a SWAMP instance. These operations include getting the list of projects, packages, versions of packages, assessments, tools and platforms. Creating packages, uploading new versions of a package, configuring and start an assessment, checking the status of an assessment, and downloading SCARF results.
From https://github.com/mirswamp/java-cli/releases page, download the latest java-cli-X.Y.Z.zip archive, where X.Y.Z stands for the latest release version number.
Extract/Unarchive the java-cli-X.Y.Z.zip file. This extracts all the files into java-cli-X.Y.Z directory. The executable files are in the bin directory and the main jar file is in the lib
For rest of this document we will use 1.5.0 as the reference CLI version and Linux as the reference OS.
|
Note
|
Pre-requisites for running the Java CLI is Java-7 or above. |
On Posix compatible systems run the following command from the java-cli-X.Y.Z directory:
./bin/swampOn Windows systems run the following command from the java-cli-X.Y.Z directory:
.\bin\swamp.batUsers can also run the jar file directory by running the following command from the java-cli-X.Y.Z directory:
java -jar lib/java-cli-1.5.0-with-dependencies.jarIf any of the above command is successful, the program display sub-commands available:
------------------------------------------------------------------------
Usage: <program> <sub-command> <options>
------------------------------------------------------------------------
<sub-command> must be one of the following:
login
logout
packages OR package
assessments OR assess
results
projects OR project
tools OR tool
platforms OR platform
status
user
------------------------------------------------------------------------
For information on the <options> for a <sub-command> execute:
<program> <sub-command> --help or <program> <sub-command> -H
------------------------------------------------------------------------
For version: <program> --version or <program> -V
For help: <program> --help or <program> -H
------------------------------------------------------------------------SiB instances may have self-signed SSL/TLS certificates. Java’s security model by default does not allow communicating with a web-service that has a self-signed SSL/TLS certificate. To overcome this restriction, the web-service’s self-signed SSL/TLS certificate has to be added a java keystore on the machine that is running the CLI. The following are the instructions on how to do it:
-
Go to SiB from the web-browser and download the SiB self-signed certificate by following these instruction here: https://www.thesslstore.com/blog/how-to-view-ssl-certificate-details-in-chrome-56/
-
Run the following commands to add the self-signed certificate to a user’s custom
keystore:
-
Make a copy of the
cacertsfile in$JAVA_HOME/jre/lib/security/directory to a local directory:cp $JAVA_HOME/jre/lib/security $PWD
-
Add the certificate to the
keystore(Assuming here that the self-signed certificate is stored on the desktop as www.sib-swamp.org.cer)sudo keytool -importcert -alias sib-name -file ~/Desktop/www.sib-swamp.org.cer -keystore $PWD/cacerts
To check if CLI works with your SiB instance, run login sub-command, see section Login Sub-Command
Connecting to SWAMP via a http proxy server is supported via standard environment variables, java system properties or options to login sub-command.
In your environment, setup the environment variables http_proxy or https_proxy in the format http[s]_proxy=http[s]://[<username>:<passoword>]@<proxy_host>[:<proxy_port>]
% export http_proxy=http://squid.cs.wisc.edu:3128
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties% export http_proxy=http://user1:password1@squid.cs.wisc.edu:3128
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties% export https_proxy=https://user1:password1@squid.cs.wisc.edu:3128
% ./bin/swamp login --filepath ./scripts/resources/userinfo.propertiesPass the following java properties to the java-cli’s login sub-command:
-
http.proxyHost -
http.proxyPort -
http.proxyUser -
http.proxyPassword
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties -Dhttp.proxyHost=squid.cs.wisc.edu -Dhttp.proxyPort=3128
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties -Dhttp.proxyHost=squid.cs.wisc.edu -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user1 -Dhttp.proxyPassword=password1
Pass the following java properties to the java-cli’s login sub-command:
. https.proxyHost
. https.proxyPort
. https.proxyUser
. https.proxyPassword
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties -Dhttps.proxyHost=squid.cs.wisc.edu -Dhttps.proxyPort=3128
% ./bin/swamp login --filepath ./scripts/resources/userinfo.properties -Dhttps.proxyHost=squid.cs.wisc.edu -Dhttps.proxyPort=3128 -Dhttps.proxyUser=user1 -Dhttps.proxyPassword=password1
SWAMP Java CLI provides sub-commands to perform various operations on SWAMP. A sub-command is the first argument to the CLI program. Each sub-command has its own set of options and arguments. Java CLI supports the following sub-commands
| Sub-Command | Description |
|---|---|
login |
Login into SWAMP |
logout |
Logout of SWAMP |
packages |
Upload a package to SWAMP, list the uploaded packages |
tools |
Get the list of tools |
assess |
Assess an already uploaded package with SWAMP tools |
platforms |
Get the list of supported platforms |
projects |
Get the list of projects the user is associated of |
status |
Get the status of an assessment |
results |
Download SCARF results |
user |
Information about the current user |
To get help on each of the sub-command in the above list run ./bin/swamp <sub-command> --help or ./bin/swamp <sub-command> --H.
login sub-command is used to login into SWAMP. The login sub-command supports the following options:
| Option | Value |
|---|---|
|
URL for SWAMP host. default is |
|
Custom keystore (that has SSL/TLS certificate for SiB) file path |
|
URL for http proxy, format: http[s]://<username>:<passoword>@<proxy_host>:<proxy_port> |
|
Properties file containing username, password, proxy settings, keystore file path |
|
Lets SWAMP user type username and password on the terminal |
|
Does not show the login status message |
The properties file provided to the option --filepath must have the following as key value pairs:
username=<swamp-username>
password=<swamp-password>|
Note
|
To login to SWAMP via java-cli or any other SWAMP plugins, we recommend using SWAMP application passwords instead of your SWAMP username and password. Please see Application Passwords section.
|
The properties file provided to the option --filepath can also have the following additional key value pairs:
proxy=http[s]://[<username>:<passoword>]@<proxy_host>[:<proxy_port>]
keystore=<keystore-filepath>If the login is successful, the following output is displayed on the console, with a command exit status 0.
Login successfulOnce logged in, a SWAMP session is valid for 48 hours.
We recommend using SWAMP application passwords (instead of your SWAMP username and password) to access SWAMP via java-cli or other SWAMP plugins. If you use a github or any other third party identity provider to access SWAMP then you may not have SWAMP username and password.
To get an username and an application password, do the following:
-
Login to SWAMP via web interface and go to My Account page (https://www.mir-swamp.org/#my-account).
-
Select My Profile tab
-
Copy the value with Username label in the My Profile tab. This is the username that you must use to login via java-cli or other SWAMP plugins.
-
-
Select Application Passwords tab.
-
Create a new password by clicking on the Add New Password button. This is the password that you must use to login via java-cli or other SWAMP plugins.
-
logout sub-command is used to logout of SWAMP. The logout sub-command supports the following additional options:
| Option | Value |
|---|---|
|
Does not show the logout status message |
If the logout is successful, the following output is displayed on the console, with a command exit status 0.
Logout successfulpackages sub-command can be used for the following:
-
Upload a package to SWAMP
-
List supported package types
-
List user packages
-
Delete user packages
To upload a package, use --upload option with the packages sub-command.
The packages sub-command with --upload option supports the following additional options:
| Option | Value |
|---|---|
|
Path to the archive of the package. This option is required |
|
Path to package.conf file for the package. This option is required |
|
Flag/Option to specify if this should be a new package instead of a package version. If a package with the same name already exist, CLI adds this package as a package version. |
|
OS package dependencies specified as |
|
Name or UUID of the project that this package must be added to. default is MyProject |
|
UUID of the project that this package must be added to. This option is deprecated, use |
--quiet |
With this flag, the sub-command prints only the Package UUID with no formatting. |
Example:
./bin/swamp package --upload --pkg-archive /home//swamp/api-dev/java-cli/scripts/resources/test_packages/railsgoat-9052b4fcf0/railsgoat-9052b4fcf0.zip -pkg-conf /home//swamp/api-dev/java-cli/scripts/resources/test_packages/railsgoat-9052b4fcf0/package.conf --os-deps 'ubuntu-16.04-64=libsqlite3-dev libmysqlclient-dev' --new-pkgIf the above command is successful, the output will be:
Package Version UUID
d5821bf0-5719-4e33-a49c-f31a912eaa15To display the types of software packages supported by SWAMP, --types option is used with the package sub-command.
Example:
./bin/swamp package --typesExample output from the above command:
Type
Android .apk
Android Java Source Code
C/C++
Java 7 Bytecode
Java 7 Source Code
Java 8 Bytecode
Java 8 Source Code
Python2
Python3
Ruby
Ruby Padrino
Ruby Sinatra
Ruby on Rails
Web ScriptingTo list packages uploaded by a user, use --list option with the package sub-command.
The package sub-command with the --list option accepts the following additional options:
| Option | Value |
|---|---|
|
Only show packages of this package type |
|
Only show packages in this Project (Name or UUID) |
|
Show packages that are part of the project with this UUID only. This option is deprecated, use |
|
Do not print Headers, Description, Type |
|
Print UUIDs also |
Example:
./bin/swamp packages --list --project MyProjectExample output from the above command:
Package Description Type Version
webgoat-lessons No Description Available Java 8 Source Code 7.1
swamp-java-api Java 8 Source Code dc2c04b
swamp-gradle-example No Description Available Java 7 Source Code 1.0
shapes No Description Available Java 7 Source Code 1.0
scarf-io No Description Available Java 8 Source Code 1.0
lighttpd No Description Available C/C++ 1.4.45
lighttpd No Description Available C/C++ 1.4.45
lighttpd No Description Available C/C++ 1.4.45-2018032210
lighttpd No Description Available C/C++ 1.4.45-2018032311
lighttpd No Description Available C/C++ 1.4.45-2018032201
lighttpd No Description Available C/C++ 1.4.45-2018032203
airavata883c3f4 No Description Available Java 8 Source Code 1.0
WebGoat-Lessons No Description Available Java 8 Source Code 1.0To delete one or more packages, use --delete option with the package sub-command.
package sub-command with --delete sub-command requires the following additional options:
| Option | Value |
|---|---|
|
Delete packages with these names or UUIDs. Accepts multiple names or UUIDs |
|
Delete packages in this project. if --packages option is not specified, deletes all the packages in the project |
|
UUIDs of packages that must be deleted. This option is deprecated, use |
|
Project UUID for the packages. This is optional. This option is deprecated, use |
'--quiet' |
Do not print anything |
Example:
% ./bin/swamp packages --delete -project MyProject --package webgoat-lessons
Deleted 'Name: webgoat-lessons, Version: 7.1'tools sub-command is used for the following:
-
Get a list of all the tools that the user has access to in SWAMP
-
Given a tool name, get the platform UUID
To get a list of all the tools that the user has access to in SWAMP, use --list option with the tools sub-command. This command displays list of tools, with versions available and supported package types.
tools sub-command with --list option accepts the following additional option:
| Option | Value |
|---|---|
|
Only prints the names of the tools |
|
Also prints UUIDs |
Example:
./bin/swamp tools --listExample output of the above command:
Tool Version Supported Package Types
JSHint 2.9.4 ["Web Scripting"]
Synopsys Static Analysis (Coverity) 2017.07 ["C/C++"]
HTML Tidy 5.2.0 ["Web Scripting"]
Parasoft C/C++test 10.3.3 ["C/C++"]
Parasoft C/C++test 9.6.1.91 ["C/C++"]
Parasoft Jtest 10.3.3 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
Parasoft Jtest 9.6.0 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
Clang Static Analyzer 3.8 ["C/C++"]
Clang Static Analyzer 3.7 ["C/C++"]
Clang Static Analyzer 3.3 ["C/C++"]
error-prone 2.0.21 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
error-prone 2.0.15 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
error-prone 2.0.9 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
error-prone 1.1.1 ["Java 7 Source Code","Android Java Source Code","Java 8 Source Code"]
Dawn 1.6.7 ["Ruby Sinatra","Ruby on Rails","Ruby Padrino"]
Dawn 1.3.5 ["Ruby Sinatra","Ruby on Rails","Ruby Padrino"]
RuboCop 0.47 ["Ruby","Ruby Sinatra","Ruby on Rails","Ruby Padrino"]
RuboCop 0.33 ["Ruby","Ruby Sinatra","Ruby on Rails","Ruby Padrino"]
RuboCop 0.31 ["Ruby","Ruby Sinatra","Ruby on Rails","Ruby Padrino"]
PHPMD 2.5.0 ["Web Scripting"]To get a tool’s UUID, use --uuid option with the tools sub-command.
tools sub-command with --uuid option requires the following additional option:
| Option | Value |
|---|---|
|
Name of the tool to get the UUID for |
Example:
./bin/swamp tools --uuid --name PMDExample output of the above command:
163f2b01-156e-11e3-a239-001a4a81450bassessments sub-command is used for the following:
-
Perform assessments in SWAMP
-
List assessments
To perform an assessment, use --run option with the assessments sub-command.
The assessments sub-command with the --run option supports the following additional options:
| Option | Value |
|---|---|
`--package <PACKAGE_NAME> ` |
Name of the package to be assessed. By default uses the latest version. For a particular version of a package, use |
|
Name of the tool to be assessed with. By default uses the latest version. For a particular version of a tool, use |
|
Platform to be assessed on. This option accepts multiple platform names. |
|
UUID of the version of a package that must be assessed. This option is deprecated, use |
|
Project that the package is part of. This option is deprecated. |
|
UUIDs of the platforms that assessments must be performed on. This is optional and is only valid for |
|
UUIDs of the tools that must be used for assessments. This option is deprecated, use |
|
Does not print headers |
Example:
./bin/swamp assessments --run --package swamp-gradle-example --tool error-proneExample output of the above command:
Assessment UUIDs
d14aa1f9-d0f1-48b6-adb4-088ac0e1ffeeExample with a particular package version and tool version:
./bin/swamp assessments --run --package swamp-gradle-example::1.0 --tool error-prone::1.1.1Example with a particular package version and tool version:
./bin/swamp assessments --run --package swamp-gradle-example::1.0 --tool error-prone::1.1.1Example with a particular package version and multiple tools:
./bin/swamp assessments --run --package swamp-gradle-example::1.0 --tool error-prone::1.1.1 spotbugs PMDExample with a package, multiple tools, and multiple platforms:
./bin/swamp assessments --run --package lighttpd --tool cppcheck "Clang Static Analyzer" --platform centos-7-64 debian-8-64 fedora-24-64 ubuntu-16.04-64To list assessments created, use --list with the assessments sub-command. The assessments sub-command with the --run option supports the following additional options:
| Option | Value |
|---|---|
|
Only show assessments in this Project. |
|
Only show assessments for this Package |
|
Only show assessments on this Platform |
|
Only show assessments with this Tool |
|
Do not print Headers |
|
Print UUIDs also |
Example:
./bin/swamp assessments -L --tool SpotBugsExample output for the above command
Package Tool Platform
TestPerm::2018-03-29-12 SpotBugs::latest ubuntu-16.04-64
java-cli::2018-03-29-12 SpotBugs::latest ubuntu-16.04-64
scarf-io::2018-03-29-11 SpotBugs::latest ubuntu-16.04-64
scarf-io2::2018-03-29-11 SpotBugs::latest ubuntu-16.04-64
scarf-io2::2018-03-27-15 SpotBugs::latest ubuntu-16.04-64
java-cli::2018-03-27-15 SpotBugs::latest ubuntu-16.04-64To download SCARF results of an assessment run or show list of assessment runs, use results sub-command.
To list assessment runs, use --list with the results sub-command. The results sub-command with the --list option supports the following additional options:
| Option | Value |
|---|---|
|
Only show assessment runs in this Project |
|
Only show assessment runs for this Package |
|
Only show assessment runs ran on this Platform |
|
Only show assessment runs with this Tool |
|
Print UUIDs also |
Example:
./bin/swamp results --listExample output for the above command:
Package Tool Platform Date Status Results
lighttpd::1.4.45 Clang Static Analyzer::3.8 centos-7-64 04/23/2018 10:07 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 debian-8-64 04/23/2018 10:07 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 fedora-24-64 04/23/2018 10:07 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 ubuntu-16.04-64 04/23/2018 10:07 Finished 4
lighttpd::1.4.45 cppcheck::1.75 centos-7-64 04/23/2018 10:07 Finished 209
lighttpd::1.4.45 cppcheck::1.75 debian-8-64 04/23/2018 10:07 Finished 209
lighttpd::1.4.45 cppcheck::1.75 fedora-24-64 04/23/2018 10:07 Finished 209
lighttpd::1.4.45 cppcheck::1.75 ubuntu-16.04-64 04/23/2018 10:07 Finished 209
lighttpd::1.4.45 Clang Static Analyzer::3.8 centos-7-64 04/23/2018 07:31 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 debian-8-64 04/23/2018 07:31 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 fedora-24-64 04/23/2018 07:31 Finished 4
lighttpd::1.4.45 Clang Static Analyzer::3.8 ubuntu-16.04-64 04/23/2018 07:31 Finished 4
lighttpd::1.4.45 cppcheck::1.75 centos-7-64 04/23/2018 07:31 Finished 209
lighttpd::1.4.45 cppcheck::1.75 debian-8-64 04/23/2018 07:31 Finished 209
lighttpd::1.4.45 cppcheck::1.75 fedora-24-64 04/23/2018 07:31 Finished 209
lighttpd::1.4.45 cppcheck::1.75 ubuntu-16.04-64 04/23/2018 07:31 Finished 209
swamp-gradle-example::1.0 SpotBugs::3.1.0 ubuntu-16.04-64 04/23/2018 07:22 Finished 13
swamp-gradle-example::1.0 PMD::5.8.1 ubuntu-16.04-64 04/23/2018 07:22 Finished 33
swamp-gradle-example::1.0 error-prone::1.1.1 ubuntu-16.04-64 04/23/2018 07:22 Finished 0
swamp-gradle-example::1.0 error-prone::1.1.1 ubuntu-16.04-64 04/23/2018 07:17 Finished 0
swamp-gradle-example::1.0 error-prone::1.1.1 ubuntu-16.04-64 04/23/2018 07:17 Finished 0
swamp-gradle-example::1.0 error-prone::2.0.21 ubuntu-16.04-64 04/23/2018 07:15 Finished 1To download SCARF results use --download option with the results sub-command. The results sub-command with the --download option supports the following additional options:
| Option | Value |
|---|---|
|
File path to write SCARF Results into |
|
Download results for this package name |
|
Download results for this tool |
|
Download results for this platform |
|
Assessment Results UUID |
|
Project UUID of a project. This option is deprecated. |
|
Do not print Headers |
SCARF results downloaded from the assessment run will be stored into <SCARF_FILEPATH>.
./bin/swamp results --download --results-uuid f4856ee8-b402-11e7-92c3-001a4a814413 --filepath $PWD/scarf-results.xml./bin/swamp results --download --package swamp-gradle-example::1.0 --tool SpotBugs::3.2.0 --platform ubuntu-16.04-64projects sub-command must be used for the following:
-
Get the list of all the SWAMP projects the user is part of.
-
Given a project name, get the project UUID.
To get a list of all the projects that user of part of, use --list option with the projects sub-command.
The projects sub-command with --list option supports the following additional options.
| Option | Value |
|---|---|
|
Do not print Headers, and Description, Date Added attributes |
|
Print UUIDs also |
Example:
./bin/swamp projects --listExample for the output of the above command:
Project Description Date Added
new-project for experiment only 01/22/2015 04:02
UW SWAMP Java Software Some of the software written for SWAMP, want to check how SWAMP works. 02/03/2014 11:52
UW Mobile UW Mobile 06/23/2015 06:39
NICS NICS software assessments 11/17/2015 05:57
MyProject Starter project for running assessments. 02/23/2015 15:51
4plugins Project to test plugins 06/22/2017 09:38To get UUID of a project, use --uuid option with the projects sub-command.
projects sub-command with --uuid option requires the following additional options:
| Option | Value |
|---|---|
|
Name of the project to get the UUID for |
Example:
./bin/swamp projects --uuid --name 4pluginsExample for the output of the above command:
df2e7c15-4d28-4224-b25c-c2570bd91156platform sub-command is used for the following:
-
Get a list of all the platforms supported by the SWAMP.
-
Given a platform name, get the platform UUID.
To get a list of all the platforms that user of part of, use --list option with the platforms sub-command.
The platforms sub-command with --list option supports the following additional options.
| Option | Value |
|---|---|
|
Do not print Headers |
|
Print UUIDs also |
Example:
./bin/swamp platforms --listExample for the output of the above command:
Platform
android-ubuntu-12.04-64
centos-6-32
centos-6-64
centos-7-64
debian-7-64
debian-8-64
fedora-18-64
fedora-19-64
fedora-20-64
fedora-21-64
fedora-22-64
fedora-23-64
fedora-24-64
scientific-6-32
scientific-6-64
scientific-7-64
ubuntu-10.04-64
ubuntu-12.04-64
ubuntu-14.04-64
ubuntu-16.04-64To get UUID of a platform, use --uuid option with the platforms sub-command.
platforms sub-command with --uuid option requires the following additional options:
| Option | Value |
|---|---|
|
Name of the platform to get the UUID for |
Example:
./bin/swamp platforms --uuid --name ubuntu-16.04-64Example for the output of the above command:
03b18efe-7c41-11e6-88bc-001a4a81450bTo get the status of an assessment run, status sub-command is used with the following options:
| Option | Value |
|---|---|
|
UUID of the assessment run |
|
Project UUID of the assessment . This option is deprecated |
The output of the above sub-command will display (SUCCESS|FAILURE|INPROGRESS). Incase of SUCCESS, the number of weaknesses and results-uuid will also be displayed on the console.
Example:
./bin/swamp status --assess-uuid 96e6e4e0-efce-4216-bff9-b20b30ca2e83 --project-uuid df2e7c15-4d28-4224-b25c-c2570bd91156Example output of the above command:
SUCCESS, 33, f4856ee8-b402-11e7-92c3-001a4a814413In case of errors or exceptions the Java CLI program returns the following exit codes:
| Exit Code | Description |
|---|---|
0 |
No errors |
1 |
Incorrect command line options |
2 |
Command line parser error |
3 |
Invalid UUID of a Tool, Project, Package, Assessment |
4 |
Incompatible tuple, example: Using Java tool on a C/C++ package |
5 |
User session expired |
6 |
User session restore error |
7 |
User session save error |
8 |
No default platform |
9 |
Invalid Name of a Tool, Project, Package, Platform |
10 |
Conflicting (Package, Tool, Project, Platform) Tuple |
20+ |
HTTP exception |
Clone https://github.com/mirswamp/java-cli.git, and run the following commands to build java-cli:
cd java-cli
mvn package -DskipTestsRun java -jar ./target/java-cli-X.Y.Z-jar-with-dependencies.jar command.
To run the automated test suite, do the following:
-
Change to
java-clidirectory -
From
https://github.com/mirswamp/java-cli/releases, downloadtest_packages.zipfile and unzip it inscripts/resourcesdirectory. -
Download Jython-2.7.0 stand-alone jar file from http://www.jython.org/downloads.html and create a JYTHON_JAR environment variable that points to the Jar file.
http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar -
Download test—packages.zip from github and unpack as noted above
https://github.com/mirswamp/java-cli/releases/download/releases%2F1.3.3/test_packages.zip -
Create a
userinfo.propertiesinscripts/resourcesdirectory. The file should have the following as key value pairs
username=<swamp-username>
password=<swamp-password>
project=<swamp-user-project-uuid>
hostname=<swamp-hostname> # Optional, default is mir-swamp.org-
run
.scripts/test.shscript.