0

From last few day , I was searching for static code analysis tool for ColdFusion. I have not got a good one till now. I found two.

  1. YASCA
  2. https://code.google.com/p/cf-metrics/

From YASCA I was getting only XSS alerts and some alerts for session mgmt, nothing more than that. I have tried with my entire project. I am not even able to properly install cf-metrics using ColdFusion10 , After putting the required jar file in the lib folder I was not able to access any one my IIS site because of some isapi redirect isse.

Any other tools available?

user3427540
  • 1,162
  • 1
  • 14
  • 30
  • Now (2017) the options seem to be CFLint and the non-free Security Code Analyser which unfortunately runs as part of CF Builder IDE: https://helpx.adobe.com/coldfusion/2016/security-enhancements.html - I'm looking at building a SAST solution. – Leo Aug 14 '17 at 13:00

2 Answers2

4

I've looked at this a couple of times in the past, as I maintain a large CF application.

Each time I looked I was unable to find anything suitable. I spent a while looking into using the Railo CFML parser (because it's open source) to build something ourselves and concluded at the time that it was possible, but was no small task.

You may be able to re-examine the Railo approach, but feed the AST from Railo into an existing code analysis tool. I never got that far, but it may be possible to an extent.

I'd love to hear different, but the short answer is that there's not much out there.

barnyr
  • 5,678
  • 21
  • 28
4

If you're still looking for a ColdFusion Linter, I would recommend CFLint. It's hosted on GitHub and Maven. The parser was updated to use ANTLR4, so it's much faster than previous editions. We're also making it easier to customize than JSLint.

user5416233
  • 41
  • 1