Security Analyzer

Forum|Forum|5 years ago
August 6, 2020
3 replies
271 views

The documentation for the security analyzer for CF2016 + indicates that builder connects to a service running on ColdFusion Server Enterprise running in the Development profile to perform the scan and retrieve the results. Is this service documented anywhere? Ideally I'd like to be able to interact with this service via tools, such as Jenkins, or even better SonarQube.

This topic has been closed for replies.

Charlie Arehart

Community Expert

Yep, I was going to jump in and report that that git project from Dave Epler (mentioned in a comment in that thread you shared) should help you get going.

But still another possibility you should consider is the alternative tool from Pete Freitag and Foundeo, called Fixinator. No, it's not free, but it's much more powerful (and IS API-driven, and designed specifially to integrate with CI pipelines like Jenkins).

It also is NOT limited to working with CF Enterprise, does NOT require enabling RDS, does NOT use CFBuilder, and (unlike the Sec Analyzer) it can even make the needed changes to your code, if you tell it to (it does not, by default, of course).

/Charlie (troubleshooter, carehart. org)

H

HallowAuthor

Inspiring

Just found this - https://community.adobe.com/t5/coldfusion/coldfusion-2018-security-analyzer-exposed-api/td-p/10178707?page=1 that should be helpful.

H

HallowAuthor

Inspiring

According to the web.xml it looks like this is a REST style service, running on /securityanalyzer - just need to figure out what commands to pass to it.

                <!-- begin Security Analyzer -->
                <servlet id="coldfusion_servlet_666">
                        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
                        <display-name>Rest Processor</display-name>
                        <description>Starts and configures rest web components</description>
                        <servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
                        <init-param id="InitParam_1034013110657sa">
                                <param-name>servlet.class</param-name>
                                <param-value>coldfusion.securityanalyzer.SecurityAnalyzerServlet</param-value>
                    </init-param>
                   
                        <load-on-startup>111</load-on-startup>
                </servlet>
                <!-- end Security Analyzer -->

        <!-- begin Security Analyzer -->
        <servlet-mapping id="coldfusion_mapping_23">
        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
        <url-pattern>/securityanalyzer/*</url-pattern>
    </servlet-mapping>

H

HallowAuthor

Inspiring

Ah, it's not a REST servlet, it's an RdsServlet, not sure how to call this.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded