SBOM and Scanning

Report · May 04, 2024

Hi, i know there are literally no free tools for ci/cd scanning of coldfusion besides cflint/sonarqube plugin- Is this still true? - No SAST SCA etc type scanners in the wild?

Also; As per new mandate of security etc; SBOM. I notice grype/syft in a repo on my github repos, do not map dependencies of coldfusion code. With the release of 2024 how are we to approach this?

Report · May 07, 2024

Depending on your ColdFusion stack and development environment, ColdFusion Security Analyzer may be included (but not technically free) if you're using ColdFusion Builder. And Foundeo Fixinator is relatively inexpensive, depending on your needs/volume.

I've done a little bit of work on some simple grep-based SAST for ColdFusion/CFML described here -- https://www.hoyahaxa.com/2021/06/two-one-liners-for-quick-coldfusion.html. It's admittedly more a "collection of sharp objects" rather than a fully-functional tool -- and it's noisy/prone to false positives (to be sorted by human review) by design. I haven't released anything than the few snippets in that article. It's possible (but unplanned at this time) I may release a real tool in the future, although I've alternately considered working on better support for CFML via semgrep instead.

Re: SBOM, I have not used Syft or Grype before, but I have used commercial container and image scanners that have flagged vulnerable packages in ColdFusion and Lucee.