July 13, 2021
ColdFusion Security Code Analyzer now works with CF2021 Standard and Developer editions
July 13, 2021
ColdFusion Security Code Analyzer now works with CF2021 Standard and Developer editions
ColdFusion troubleshooter
Legend 138 posts
Followers: 100 people

Whether you may be currently using the ColdFusion Security Code Analyzer feature or have never known of it or used it, this is a newsworthy discovery: the tool now works with ColdFusion 2021 when running even as the free Developer edition or Standard edition/license. Prior to CF2021, it worked only with CF’s Enterprise license or Trial edition, and specifically NOT with a Standard license or the free Developer edition.

This change was not something identified in the release of CF2021, but I found it to be so recently, and I’ve confirmed that it worked on several machines. I also brought it to the attention of the CF team, and for now there are no plans to re-impose the restriction.

(It always bugged me that the Security Analyzer was limited this way, since it seems that security is a priority which should concern all users of CF, regardless of how they licensed it.)

About the Security Code Analyzer

For those not familiar with the tool (perhaps especially if they didn’t have CF Enterprise 2016 or above), Adobe introduced the ColdFusion Security Code Analyzer with ColdFusion 2016 and ColdFusion Builder 2016, as a tool to analyze CFML code for any of several kinds of common coding vulnerabilities, such sql injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more.

It not only finds and describes the vulnerabilities but also recommends CFML features that could be used to mitigate those vulnerabilities.

Again, the Security Code Analyzer is not new. It works with CF 2016, 2018 and 2021, and with CF Builder 2016 and 2018. (CFBuilder 2021 is still in development, planned to be built upon Visual Studio Code.) And yes, even CFBuilder 2016 can analyze code against CF2021, and will work with any edition of CF2021.

Some restrictions remain in place

Let me repeat first that the lifting of this CF Enterprise requirement is ONLY in CF2021. With CF2018 or 2016, the tool still ONLY works when those are running with an Enterprise license or their trial editions.

Also, the Security Code Analyzer feature works only with a licensed or trial edition of CFBuilder. As some may know, if a license is not entered at installation or during the 60-day trial, CFBuilder will revert to the free Express edition, which holds back various features, as I have written about before. The Security Code Analyzer is (still) one of those features.

You may have CFBuilder licenses you are not using

That said, do note that a license of CF Builder is included with the purchase of CF itself. As noted in a FAQ that I link to at the end of that other blog post, you get three licenses of CF Builder with a CF Enterprise edition or one license with CF Standard edition.

So you may have CFB licenses you are not even using. Login to your account at the Adobe licensing site to find the available CFB licenses for any purchased CF licenses.

Again, though: note that the Security Code Analyzer does work with the free 60-day trial of CFBuilder (2018 or 2016), so you don’t HAVE to pay for the tool to try it out.

Fixinator, as an alternative

Despite the lifting of this Enterprise requirement, you may find other reasons that the CF Security Code Analyzer don’t suit you. In that case, consider also Fixinator, a commercial tool/service from Foundeo, whose founder Pete Freitag is author of the ColdFusion Lockdown Guide as well as other tools and resources.

Fixinator does not require either the use of CFBuilder or of RDS, is not limited by CF edition, works with Lucee, and even offers an option to perform the recommended code changes if you may prefer that. See the product’s web site for more, including installation steps (including CommandBox) and run-time configuration options.

Learning more about the Security Code Analyzer

For more information on the Security Code Analyzer, see the docs, which shows more about setting up and using the tool within CF Builder. It does require that you create a CF Builder “project” for the code to be analyzer, and that you connect that project to a “server” (a CF instance accessible to CFBuilder), and that that CF instance have RDS enabled (see the CF Admin Security>RDS page).

Even for developers who may choose to use other editors or IDEs for their day-to-day development, the combination of CFBuilder and the CF Security Code Analyzer can be valuable for this security code analysis, alone. Everyone should be analyzing their code for security vulnerabilities, using one tool or the other discussed here. It’s nice to see this change in CF2021, regarding the CF-provided tool.

For more blog content from Charlie Arehart, see his posts here as well as his posts at carehart.org. And follow him on Twitter and other social media as carehart.

Add Comment