Originally posted July 13, 2021; updated May 3, 2023 (slight rewording, and adding mention of VSCode version of CFBuilder)

Here’s news that will interest some: the Adobe ColdFusion Security Code Analyzer tool now works with even the free Developer edition or Standard edition/license, as of CF2021. Prior to CF2021, it worked only with CF’s Enterprise license or Trial edition (2018 and 2016), and specifically NOT with a Standard license or the free Developer edition.

Whether you may be currently using the ColdFusion Security Code Analyzer feature or never heard of it, or may have considered it but passed on it due to that previous limitation, this is a newsworthy discovery

This change was not something identified in the release of CF2021, but I found it to be the case in testing recently, and I’ve confirmed that it worked on several machines. I also brought it to the attention of the CF team, and for now there are no plans to re-impose the restriction.

(It always bugged me that the Security Analyzer was limited that way, since it seems that security is a priority which should concern all users of CF, regardless of how they licensed it.)

About the Security Code Analyzer

For those not familiar with the tool (perhaps especially if they didn’t have CF Enterprise 2016 or above), Adobe introduced the ColdFusion Security Code Analyzer with ColdFusion 2016 and ColdFusion Builder 2016, as a tool to analyze CFML code for any of several kinds of common coding vulnerabilities, such sql injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more.

It not only finds and describes the vulnerabilities but also recommends CFML changes to mitigate those code vulnerabilities.

Again, the Security Code Analyzer is not new. It works with CF 2016 and above, and with CF Builder 2016 and 2018. Update: in July 2022, Adobe released CFBuilder as a VSCode extension, and that also includes this Security Code Analyzer. CFBuilder does need to be configured to connect (via the CF RDS feature) to a CF instance, and the analysis is done in CF but reported in Builder (which can produce PDF charts and reports). And yes, any of these versions of CFBuilder can analyze CFML code of any CF version and can all work with any edition of CF2021.

Some restrictions remain in place

Let me repeat first that the lifting of this CF Enterprise requirement is ONLY if you are running CF2021. If you connect builder to a CF2018 or 2016 instance, the tool will still ONLY work if those are running with an Enterprise license, or their trial editions.

Also, if used with CFBuilder 2018 or 2016, the Security Code Analyzer feature works only with a licensed or trial edition of CFBuilder. Update: Note that the new CFBuilder VSCode extension is free, there is no paid version.

As some may know, with CFBuilder 2018 or earlier if a license is not entered at installation or during the 60-day trial, CFBuilder will revert to the free Express edition, which holds back various features, as I have written about before. The Security Code Analyzer is (still) one of those features. Update: But again this cost/feature distinction does NOT apply to the VSCode extension, which has only the one free edition.

You may have CFBuilder licenses you are not using

That said, for those only interested in using CFBuilder 2018 or 2016, do note that a license of CF Builder is included with the purchase of CF itself. As noted in a FAQ that I link to at the end of that blog post just mentioned, you get three licenses of CF Builder with a CF Enterprise edition or one license with CF Standard edition.

So you may have CFB licenses you are not even using. Login to your account at the Adobe licensing site to find the available CFB licenses for any purchased CF licenses.

Again, though: note that the Security Code Analyzer does work with the free 60-day trial of CFBuilder (2018 or 2016), so you don’t HAVE to pay for the tool to try it out. Update: And one more time: the Security Code Analyzer works with the new free VSCode extension.

Fixinator, as an alternative

Despite the lifting of this Enterprise requirement, you may find other reasons that the CF Security Code Analyzer don’t suit you. In that case, consider also Fixinator, a commercial tool/service from Foundeo, whose founder Pete Freitag is author of the ColdFusion Lockdown Guide as well as other tools and resources.

Fixinator does not require either the use of CFBuilder or of RDS, is not limited by CF edition, works with Lucee, and even offers an option to perform the recommended code changes if you may prefer that. See the product’s web site for more, including installation steps (including CommandBox) and run-time configuration options.

Learning more about the Security Code Analyzer

For more information on the Security Code Analyzer, see the docs, which shows more about setting up and using the tool within CF Builder. It does require that you create a CF Builder “project” for the code to be analyzer, and that you connect that project to a “server” (a CF instance accessible to CFBuilder), and that that CF instance have RDS enabled (see the CF Admin Security>RDS page).

Even for developers who may choose to use other editors or IDEs for their day-to-day development, the combination of CFBuilder and the CF Security Code Analyzer can be valuable for this security code analysis, alone. Everyone should be analyzing their code for security vulnerabilities, using one tool or the other discussed here. It’s nice to see this change in CF2021, regarding the CF-provided tool.

For more blog content from Charlie Arehart, see his posts here as well as his posts at carehart.org. And follow him on Twitter and other social media as carehart.