Has anyone used veracode for vulnerability testing...
# cfml-generalg
gavinbaumanis
04/28/2023, 12:34 AMHas anyone used veracode for vulnerability testing of CFML - specifically via the VSCode plugin - as opposed to sending a WAR to their cloud-api?
p
paul
04/28/2023, 2:41 AMAs far as I can see it's not a supported language. Only supported for compiled code.
s
Scott Bennett
04/28/2023, 3:15 AMI use it monthly with the WAR file method. It doesn’t actually support CF
b
brettpr
04/28/2023, 8:02 AM@Scott Bennett - I'd be interested in a few more details of how you go about generating the WAR file and how you process the results of the scan if you have time to elaborate...
f
foundeo
04/28/2023, 2:34 PM
shameless plug for Fixinator: https://fixinator.app - you can scan your CFML code for vulnerabilities and with the enterprise version you can do it all locally on your own computer (or in CI, etc)
👍 1
👍🏼 1
s
Scott Bennett
04/28/2023, 2:42 PM@brettpr out of the office this morning but I can send the step by step document later today
Scott Bennett
04/28/2023, 2:43 PMI also use fixinator on some of my clients
b
brettpr
04/28/2023, 2:44 PM@Scott Bennett - thanks v much - no rush though...
s
Scott Bennett
04/28/2023, 2:46 PMI actually prefer fixinator for the cfml scanning but veracode has some extra features around licensing and sich, and also picks up any vulnerabilities in the cf engine jars
Scott Bennett
04/28/2023, 4:37 PMBasically we follow this (but modify based on CF version)
https://docs.veracode.com/r/compilation_CF
b
brettpr
04/29/2023, 2:24 PMCool... Thanks @Scott Bennett - I'll give it a go - will just need to do the compile Lucee style.
2 Views