Create a ColdFusion project or use an existing project. Ensure that the project is aligned to the preferred server. You can verify it by choosing the appropriate server in project properties. (Right-click in the navigator and choose properties).
Adobe ColdFusion Builder is End of Life from Oct 1, 2024
Thank you for being part of the exciting journey of Adobe ColdFusion Builder.
As Adobe continues to focus on ColdFusion Builder extension for Visual Studio Code as the IDE for Adobe ColdFusion, we have decided to End of Life (EOL) Adobe ColdFusion Builder on Oct 1, 2024.
View the End of Life (EOL) announcement for ColdFusion Builder.
The Security Code Analyzer is only available to ColdFusion (2016 release) Enterprise license users.
For any web application, security plays a critical role. It is important to avoid security pitfalls while developing web applications.
Security code analyzer
Security Analyzer is a new feature in Adobe ColdFusion (2016 release). This feature is integrated into ColdFusion Builder to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code.
Use this feature to view:
- Vulnerable code in the editor
- Vulnerability or type of attack (Error and Warning)
- Severity level of vulnerability (High, Medium, and Low)
- Suggestion to avoid the vulnerability.
- Security Analyzer works only with ColdFusion Enterprise or Enterprise (trial) and with Developer profile.
- Security Analyzer does not work with ColdFusion Developer or Standard edition and with Production or Production secure profile.
- Security Analyzer does not work with ColdFusion Builder default local server.
The Security Analyzer feature of the server is exposed as a service, a request to which is made by the builder. You can get a list of security vulnerabilities for a file, folder, or a project.
Accessing security analyzer in builder
Follow the steps below to access Security Analyzer in ColdFusion Builder:
- Right-click the project folder or project file in the navigator pane.
- Choose Security Analyzer > Run Security Analyzer.
You have three options in Security Analyzer:
- Run Security Analyzer – Analyzes and displays vulnerabilities of the code.
- Clean Run Security Analyzer - Clears the history of all ignored messages and warnings. It clears the ignored vulnerabilities (which are marked as Ignore during the Run Security Analyzer) and displays all vulnerabilities for the project.
- Clear Security Markers – Removes all security warnings and resources. Run the security analyzer again to view the vulnerabilities for your resource.
Using the security analyzer
Follow the steps below to use Security Analyzer for your project folder or file:
-
-
Right-click the project folder or project file and choose Security Analyzer > Run Security Analyzer. Security analyzer analyzes the code and displays a pop-up dialog when the task is completed.
-
Click OK.
You can view all the vulnerabilities in the bottom pane of the Editor as shown below.Vulnerabilities Vulnerabilities -
Click Security Issues on the left pane to view the list of vulnerabilities.
- As shown in the left pane of the snapshot, click the vulnerability type (such as SQL Injection or XSS attack) to view the corresponding problem statement. You can also view the suggested solution at the right pane.
- Alternatively, you can click any error on the middle pane to view the corresponding statement and solution at the right pane.
- Double-click each error on the middle pane to view the corresponding line in the Editor.
- Use filters for File Name, Attack Name, Severity Level, and Type in the middle pane. Start typing the file name in the search area to locate the files with vulnerabilities. You can narrow down your search based on severity level as high, medium and low by clicking All drop-down list.
Note:You can notice the Both drop-down list as grayed out sometimes. This happens when your cursor is already pointing to Errors or warnings issue type in the left pane. You can bring it back to active state by selecting the Security Issues folder.
-
When you fix the error in the code, right-click the corresponding error on the middle pane and choose the status as Fixed. Mark the status as Ignore if you ignore the error.
You can move the error back to To fix status by using the same step.
Note:Rerunning Security analyzer (Security Analyzer > Run Security Analyzer) does not show the vulnerabilities that are ignored. If the user has marked the vulnerabilities as Fixed but are not fixed, then server reports these errors.
-
Click Export on the upper-right corner of the Security Analyzer pane to export all the vulnerabilities to a report.html file. You can view the graphical representation of all vulnerabilities for your resource in the exported file, as shown below:
Graphical representation of vulnerabilities Graphical representation of vulnerabilities
Increasing the Security Analyzer timeout
You can increase the Security Analyzer timeout in the RDS Configuration settings.
The default is 30 seconds.
- Right click on the server or choose Windows > Show View > Other.
- Type RDS in the text field.
Additional setup configurations
Perform one of the following:
- Open access to port 8500 using the Windows firewall.
- Set up a virtual directory for the site for /CFIDE in IIS and the uriworkermap.properties file for the given connector. In the file, remove the ! in front of /CFIDE/* = cfusion.
Workflow of Security Analyzer
- Security Analyzer is exposed as a service by the ColdFusion Server.
- By running Security Analyzer for a file or a set of files, the builder makes a request to this service.
- The builder displays the vulnerabilities in a separate view for each file, along with corresponding line numbers.
- You can double-click on the vulnerabilities and open the file in the editor window with cursor pointing at the corresponding line with a red icon.
- Also, by single click, you get a brief description about the attack and about possible ways to avoid it.