Security Analyzer

Report · Aug 06, 2020

The documentation for the security analyzer for CF2016 + indicates that builder connects to a service running on ColdFusion Server Enterprise running in the Development profile to perform the scan and retrieve the results. Is this service documented anywhere? Ideally I'd like to be able to interact with this service via tools, such as Jenkins, or even better SonarQube.

Report · Aug 06, 2020

According to the web.xml it looks like this is a REST style service, running on /securityanalyzer - just need to figure out what commands to pass to it.

                <!-- begin Security Analyzer -->
                <servlet id="coldfusion_servlet_666">
                        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
                        <display-name>Rest Processor</display-name>
                        <description>Starts and configures rest web components</description>
                        <servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
                        <init-param id="InitParam_1034013110657sa">
                                <param-name>servlet.class</param-name>
                                <param-value>coldfusion.securityanalyzer.SecurityAnalyzerServlet</param-value>
                    </init-param>
                   
                        <load-on-startup>111</load-on-startup>
                </servlet>
                <!-- end Security Analyzer -->

        <!-- begin Security Analyzer -->
        <servlet-mapping id="coldfusion_mapping_23">
        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
        <url-pattern>/securityanalyzer/*</url-pattern>
    </servlet-mapping>

Report · Aug 06, 2020

Ah, it's not a REST servlet, it's an RdsServlet, not sure how to call this.

Report · Aug 06, 2020

Just found this - https://community.adobe.com/t5/coldfusion/coldfusion-2018-security-analyzer-exposed-api/td-p/1017870... that should be helpful.

Report · Aug 07, 2020

Yep, I was going to jump in and report that that git project from Dave Epler (mentioned in a comment in that thread you shared) should help you get going.

But still another possibility you should consider is the alternative tool from Pete Freitag and Foundeo, called Fixinator. No, it's not free, but it's much more powerful (and IS API-driven, and designed specifially to integrate with CI pipelines like Jenkins).

It also is NOT limited to working with CF Enterprise, does NOT require enabling RDS, does NOT use CFBuilder, and (unlike the Sec Analyzer) it can even make the needed changes to your code, if you tell it to (it does not, by default, of course).

/Charlie (troubleshooter, carehart.org)

Adobe Community

Security Analyzer