• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

SBOM and Scanning

New Here ,
May 04, 2024 May 04, 2024

Copy link to clipboard

Copied

Hi, i know there are literally no free tools for ci/cd scanning of coldfusion besides cflint/sonarqube plugin- Is this still true? - No SAST SCA etc type scanners in the wild? 

 

Also; As per new mandate of security etc; SBOM. I notice grype/syft in a repo on my github repos, do not map dependencies of coldfusion code. With the release of 2024 how are we to approach this?

 

TOPICS
Advanced techniques , Monitoring , Reporting , Security

Views

270

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 07, 2024 May 07, 2024

Copy link to clipboard

Copied

LATEST

Depending on your ColdFusion stack and development environment, ColdFusion Security Analyzer may be included (but not technically free) if you're using ColdFusion Builder. And Foundeo Fixinator is relatively inexpensive, depending on your needs/volume.

 

I've done a little bit of work on some simple grep-based SAST for ColdFusion/CFML described here -- https://www.hoyahaxa.com/2021/06/two-one-liners-for-quick-coldfusion.html.  It's admittedly more a "collection of sharp objects" rather than a fully-functional tool -- and it's noisy/prone to false positives (to be sorted by human review) by design.  I haven't released anything than the few snippets in that article.  It's possible (but unplanned at this time) I may release a real tool in the future, although I've alternately  considered working on better support for CFML via semgrep instead.

 

 Re: SBOM, I have not used Syft or Grype before, but I have used commercial container and image scanners that have flagged vulnerable packages in ColdFusion and Lucee.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation