Hello All.. We are trying to find a tool that can do Software Composition Analysis on our Coldfusion based product codebase. We do use third party tools and libraries. This is not the Static application Scanning. Do you know of any tools that can do this Software Composition Analysis?? Any pointers would be greatly appreciated. Hoping someone may already have done something like this. Thanks again for your time.

Please excuse my ignorance... But what does that mean? Is it; • Do I have a service layer / or do I call classes that are the implementation directly? ◦ (Does my code always use a public API) • Does my code user interfaces? • Does my code use XXX instead of YYY - because YYY is superior? • Quicksort instead of bubble-sort? Because that "could" be a useful tool...

SCA is pretty much by definition about analyzing third party tools and libraries you use. See https://en.wikipedia.org/wiki/Software_composition_analysis for example. All the SCA tools I've dealt with have used either the NVD (National Vulnerabilities Database) or the GitHub Advisory database to look for vulnerabilities in dependencies. Some of the tooling out there can be used to scan arbitrary 3rd party JAR files so you can run them against a CF install but it's pretty manual (and my experience is that the CF engines tend to obfuscate their actual dependencies to some degree so it is hard to get reliable per-version analysis). I've done this a couple of times against installations of Lucee, using the DependencyCheck tool (which uses NVD). https://owasp.org/www-project-dependency-check/

Thanks, got it - so for workplace we use Snyk for testing the uncompiled source code and dependencies in our C# apps/stacks.

Yeah, we find Snyk useless too -- which is why we use a DependencyCheck-based tool as part of our CI process.

Thanks a lot to all who responded. Any thoughts about https://www.mend.io/ They claim to have a complete solution for this. We have a call scheduled with them.

I have used veracode for this but you have to export your application into a WAR file and scan that because they don’t directly support CF. https://www.veracode.com

@Scott Bennett and presumably you have to compile all your CFML to bytecode and the tool scans that somehow?

@seancorfield we would use the CF administrator to export the application to a WAR file (https://helpx.adobe.com/coldfusion/configuring-administering/deploying-coldfusion-applications.html#PackagingapplicationsinJEEarchivefiles) then upload that WAR file to veracode. then it would scan that and give a full report (including SCA). It was kind of annoying from a bureaucracy standpoint though because sometimes there would be stuff in there that we couldn't actually fix because the issues were in the Adobe CF engine itself. I would just send those over to adobe and repeatedly explain to the folks in the corporate security team why I couldn't just update those things myself. We stopped using veracode in november as the product went through an acquisition and the new owner is planning to start using fixinator scans.

It's not clear to me that WAR packaging completes the code, and even if veracode scans bytecode I can't imagine it being able to give useful feedback on CFML. Sounds like it's moot anyway at this point.

It did give good feedback on the code completed with files and line numbers

Interesting. Good to know! Thank you.

Looking over an old excel export (from 2020) that I found in an old email, and it shows the file name and line number but not the full path. I think the paths were visible in the UI though.

OK, I'm impressed... the compiler geek in me wonders exactly how they did it 🙂

I can't answer that one... as someone who only really scratched the surface of learning Java a decade or two ago, once things get too far beyond beyond the CFML or maybe using cfobject to interact with some java class, it pretty much all turns into voodoo witch magic to me.