Security Analyzer

Community Beginner ,
Aug 06, 2020 Aug 06, 2020

Copy link to clipboard

Copied

The documentation for the security analyzer for CF2016 + indicates that builder connects to a service running on ColdFusion Server Enterprise running in the Development profile to perform the scan and retrieve the results. Is this service documented anywhere?  Ideally I'd like to be able to interact with this service via tools, such as Jenkins, or even better SonarQube.

Views

57

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 06, 2020 Aug 06, 2020

Copy link to clipboard

Copied

According to the web.xml it looks like this is a REST style service, running on /securityanalyzer - just need to figure out what commands to pass to it.

                <!-- begin Security Analyzer -->
                <servlet id="coldfusion_servlet_666">
                        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
                        <display-name>Rest Processor</display-name>
                        <description>Starts and configures rest web components</description>
                        <servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
                        <init-param id="InitParam_1034013110657sa">
                                <param-name>servlet.class</param-name>
                                <param-value>coldfusion.securityanalyzer.SecurityAnalyzerServlet</param-value>
                    </init-param>
                   
                        <load-on-startup>111</load-on-startup>
                </servlet>
                <!-- end Security Analyzer -->
        <!-- begin Security Analyzer -->
        <servlet-mapping id="coldfusion_mapping_23">
        <servlet-name>CFSecurityAnalyzerServlet</servlet-name>
        <url-pattern>/securityanalyzer/*</url-pattern>
    </servlet-mapping>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 06, 2020 Aug 06, 2020

Copy link to clipboard

Copied

Ah, it's not a REST servlet, it's an RdsServlet, not sure how to call this.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 06, 2020 Aug 06, 2020

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Aug 07, 2020 Aug 07, 2020

Copy link to clipboard

Copied

LATEST

Yep, I was going to jump in and report that that git project from Dave Epler (mentioned in a comment in that thread you shared) should help you get going.

 

But still another possibility you should consider is the alternative tool from Pete Freitag and Foundeo, called Fixinator. No, it's not free, but it's much more powerful (and IS API-driven, and designed specifially to integrate with CI pipelines like Jenkins).

 

It also is NOT limited to working with CF Enterprise, does NOT require enabling RDS, does NOT use CFBuilder, and (unlike the Sec Analyzer) it can even make the needed changes to your code, if you tell it to (it does not, by default, of course).


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines