Skip to main content
J
john37182143792q
Participant
May 4, 2024
Question

SBOM and Scanning

  • May 4, 2024
  • 1 reply
  • 662 views

Hi, i know there are literally no free tools for ci/cd scanning of coldfusion besides cflint/sonarqube plugin- Is this still true? - No SAST SCA etc type scanners in the wild? 

 

Also; As per new mandate of security etc; SBOM. I notice grype/syft in a repo on my github repos, do not map dependencies of coldfusion code. With the release of 2024 how are we to approach this?

 

This topic has been closed for replies.

1 reply

Brian__
Brian__
Participating Frequently
May 8, 2024

Depending on your ColdFusion stack and development environment, ColdFusion Security Analyzer may be included (but not technically free) if you're using ColdFusion Builder. And Foundeo Fixinator is relatively inexpensive, depending on your needs/volume.

 

I've done a little bit of work on some simple grep-based SAST for ColdFusion/CFML described here -- https://www.hoyahaxa.com/2021/06/two-one-liners-for-quick-coldfusion.html.  It's admittedly more a "collection of sharp objects" rather than a fully-functional tool -- and it's noisy/prone to false positives (to be sorted by human review) by design.  I haven't released anything than the few snippets in that article.  It's possible (but unplanned at this time) I may release a real tool in the future, although I've alternately  considered working on better support for CFML via semgrep instead.

 

 Re: SBOM, I have not used Syft or Grype before, but I have used commercial container and image scanners that have flagged vulnerable packages in ColdFusion and Lucee.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices