![]() ![]() See the product’s web site for more, including installation steps (including CommandBox) and run-time configuration options. In that case, consider also Fixinator, a commercial tool/service from Foundeo, whose founder Pete Freitag is author of the ColdFusion Lockdown Guide as well as other tools and resources.įixinator does not require either the use of CFBuilder or of RDS, is not limited by CF edition, works with Lucee, and even offers an option to perform the recommended code changes if you may prefer that. Fixinator, as an alternativeĭespite the lifting of this Enterprise requirement, you may find other reasons that the CF Security Code Analyzer don’t suit you. Update: And one more time: the Security Code Analyzer works with the new free VSCode extension. Login to your account at the Adobe licensing site to find the available CFB licenses for any purchased CF licenses.Īgain, though: note that the Security Code Analyzer does work with the free 60-day trial of CFBuilder (2018 or 2016), so you don’t HAVE to pay for the tool to try it out. So you may have CFB licenses you are not even using. ![]() As noted in a FAQ that I link to at the end of that blog post just mentioned, you get three licenses of CF Builder with a CF Enterprise edition or one license with CF Standard edition. That said, for those only interested in using CFBuilder 2018 or 2016, do note that a license of CF Builder is included with the purchase of CF itself. You may have CFBuilder licenses you are not using Update: But again this cost/feature distinction does NOT apply to the VSCode extension, which has only the one free edition. The Security Code Analyzer is (still) one of those features. Update: Note that the new CFBuilder VSCode extension is free, there is no paid version.Īs some may know, with CFBuilder 2018 or earlier if a license is not entered at installation or during the 60-day trial, CFBuilder will revert to the free Express edition, which holds back various features, as I have written about before. If you connect builder to a CF2018 or 2016 instance, the tool will still ONLY work if those are running with an Enterprise license, or their trial editions.Īlso, if used with CFBuilder 2018 or 2016, the Security Code Analyzer feature works only with a licensed or trial edition of CFBuilder. Let me repeat first that the lifting of this CF Enterprise requirement is ONLY if you are running CF2021. And yes, any of these versions of CFBuilder can analyze CFML code of any CF version and can all work with any edition of CF2021. CFBuilder does need to be configured to connect (via the CF RDS feature) to a CF instance, and the analysis is done in CF but reported in Builder (which can produce PDF charts and reports). Update: in July 2022, Adobe released CFBuilder as a VSCode extension, and that also includes this Security Code Analyzer. It works with CF 2016 and above, and with CF Builder 20. It not only finds and describes the vulnerabilities but also recommends CFML changes to mitigate those code vulnerabilities.Īgain, the Security Code Analyzer is not new. (It always bugged me that the Security Analyzer was limited that way, since it seems that security is a priority which should concern all users of CF, regardless of how they licensed it.) About the Security Code Analyzerįor those not familiar with the tool (perhaps especially if they didn’t have CF Enterprise 2016 or above), Adobe introduced the ColdFusion Security Code Analyzer with ColdFusion 2016 and ColdFusion Builder 2016, as a tool to analyze CFML code for any of several kinds of common coding vulnerabilities, such sql injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more. I also brought it to the attention of the CF team, and for now there are no plans to re-impose the restriction. This change was not something identified in the release of CF2021, but I found it to be the case in testing recently, and I’ve confirmed that it worked on several machines. Whether you may be currently using the ColdFusion Security Code Analyzer feature or never heard of it, or may have considered it but passed on it due to that previous limitation, this is a newsworthy discovery Prior to CF2021, it worked only with CF’s Enterprise license or Trial edition (20), and specifically NOT with a Standard license or the free Developer edition. Here’s news that will interest some: the Adobe ColdFusion Security Code Analyzer tool now works with even the free Developer edition or Standard edition/license, as of CF2021. Originally posted Jupdated (slight rewording, and adding mention of VSCode version of CFBuilder) ![]()
0 Comments
Leave a Reply. |