Can anyone recommend a good static analysis tool f...
# cfml-generalj
James Vince
01/28/2022, 4:19 PMCan anyone recommend a good static analysis tool for Lucee? Preferably something open source if possible. I looked through the history here and I see CFLint mentioned a lot - we're using that currently, but also looking for something that goes a bit deeper.
We're also looking to get some pen testing done, would love to hear about anyone you guys can recommend for that.
m
Mark Takata (Adobe)
01/28/2022, 4:39 PMThis seems like a job for @foundeo perhaps? (or maybe he can help guide)
f
foundeo
01/28/2022, 4:40 PM
yeah, checkout Fixinator it goes deeper into security than cflint: https://fixinator.app/
❤️ 2
j
James Vince
01/28/2022, 4:53 PMThanks, will check that out
b
bdw429s
01/28/2022, 5:16 PM@James Vince CodeChecker is also a CLI you can run against your code. it's pretty simple-- just a bunch of regex based rules to check for certain syntax or use of potentially dangerous functions/tags
bdw429s
01/28/2022, 5:16 PMbdw429s
01/28/2022, 5:16 PMIts signal to noise ratio can be low, so the trick is to narrow down to rules you actually care about
d
Dave Merrill
01/28/2022, 5:43 PMRe pentesting, our people just picked a vendor for test about to happen, one we haven't used before, which they're impressed with so far. It's Tec Refresh. They haven't actually done the thing yet, that's next week. Not sure when we'll get results back, and I'm nnot on a pro account here, so this thread may scroll away, but if it doesn't, and you remind me,I can say how it actually went.
👍 1
b
bdw429s
01/28/2022, 5:46 PM@Dave Merrill Do you know if it's an actual human poking your site for holes or if they just point an off-the-shelf scanner at your site and send you a PDF export of what it finds?
d
Dave Merrill
01/28/2022, 5:47 PMYes, humans, that's one of their big pluses. They've also been very responsive and reasonable, according to the folks dealing with them. (Who is not me.)
b
bdw429s
01/28/2022, 5:47 PMSweet
j
James Vince
01/28/2022, 5:48 PMThanks guys, I'll look into those as well. I appreciate all of the suggestions!
a
aliaspooryorik
01/28/2022, 6:19 PM
We had to get rid of our pen testers as they kept finding things which was really annoying! 😛
😀 1
aliaspooryorik
01/28/2022, 6:20 PM
BTW: I strongly recommend Fuseguard as it'll get you a long way to passing pen tests.
👍 1
m
Mark Takata (Adobe)
01/28/2022, 6:53 PMLOL Alias that reminds me of the pm at a place I used to work at who would specifically make it so I was not one of the people doing QA on their work because my superpower was breaking things.
😁 1
d
Dave Merrill
01/28/2022, 7:04 PMI'm having flashbacks guys, knock it off!
😄 1
b
bclingan
01/29/2022, 3:28 PMAnyone know of any tools that integrate into pipelines such as a sonarqube plugin? I used an old plugin a few years back
b
bdw429s
01/29/2022, 4:04 PMTestbox's code coverage will generate a sonarqube file, but In not aware of any cf pentesting integrations for it. @bclingan