Depending on your ColdFusion stack and development environment, ColdFusion Security Analyzer may be included (but not technically free) if you're using ColdFusion Builder. And Foundeo Fixinator is relatively inexpensive, depending on your needs/volume.
I've done a little bit of work on some simple grep-based SAST for ColdFusion/CFML described here -- https://www.hoyahaxa.com/2021/06/two-one-liners-for-quick-coldfusion.html. It's admittedly more a "collection of sharp objects" rather than a fully-functional tool -- and it's noisy/prone to false positives (to be sorted by human review) by design. I haven't released anything than the few snippets in that article. It's possible (but unplanned at this time) I may release a real tool in the future, although I've alternately considered working on better support for CFML via semgrep instead.
Re: SBOM, I have not used Syft or Grype before, but I have used commercial container and image scanners that have flagged vulnerable packages in ColdFusion and Lucee.
1
Reply
AdChoices