Adobe ColdFusion Builder Extension for Visual Studio Code
“Security Code Analyzer”
Security is a critical aspect of programming. The Security Analyzer is a powerful, useful tool for CFML developers to use to help prevent vulnerable code in their application. It can warn about potential threats, give you an idea on the level of the threat, and suggest potential solutions to the issues.
As of CF2021, Security Analyzer functionality is available and valid for ALL licensed versions of ColdFusion (in the past, it was only enabled for Enterprise). Using it in the VS Code Extension couldn’t be easier.
First, select the CF icon in the left pane to show your projects. Right click the project you’d like to scan. You will have several options. You can run the security analyzer, run it “clean” (this wipes out old found issues and resets any issues you’ve ignored), cancel any running analyzer or clear all security markers.
Once you run an analyzer instance, you will see a large set of panes listing out your issues, with different levels of threat.
Drilling down into each threat will show the file, line number and issue along with a suggest fix. You can click into the files directly to fix the issues, and once fixed you can mark it as so under “action”.
Exporting a vulnerability report
If you would like to, you can export a vulnerability report directly from the VS Code interface using the “Export” button located at the upper right. This will generate a folder with HTML, JSON and other assets which will allow you to view your information in a visual way.
Keep in mind also that this will generate a JSON file which you could also potentially import into your own vulnerability reporting system if you were to build one.