displaying top 100 results
Tracker Issue java.io.FileNotFoundException thrown on opening files when using the Security Code Analyzer
java.io.FileNotFoundException thrown on opening files when using the Security Code Analyzer
Tracker Comment Comment on java.io.FileNotFoundException thrown on opening files when using the Security Code Analyzer by Mukesh K.
Comment on java.io.FileNotFoundException thrown on opening files when using the Security Code Analyzer by Mukesh K.
Tracker Issue Security Code Analyzer reports false positives for upload code, and repeats warnings/errors
Security Code Analyzer reports false positives for upload code, and repeats warnings/errors
Tracker Comment Comment on Security Code Analyzer reports false positives for upload code, and repeats warnings/errors by CFwatson U.
Comment on Security Code Analyzer reports false positives for upload code, and repeats warnings/errors by CFwatson U.
Tracker Issue Cancel Security Analyzer Request option must exist
2682315 CFB-4121222 Security Code Analyzer Cancel Security Analyzer Request option must exist Problem:
Cancel Security Analyzer Request option should be there
Method:
Result:
Currently there is no option to stop security analyzer request while it is running .
Expected:
Workaround
Tracker Issue Code Analyzer False Negative
2673450 CF-4126537 Security Analyzer Jason Dean Code Analyzer False Negative Problem Description:
This code should be flagged for SQLi, it is not.
component {
public function getUserByID( numeric id ) {
var q = new Query
Tracker Issue Security Analyzer , If the operation is cancelled it should display the partial results
2682248 CFB-4135745 Security Code Analyzer Security Analyzer , If the operation is cancelled it should display the partial results Problem:
Method:
Security Analyzer , If the operation is cancelled it should display the partial results
Result:
Expected:
Workaround
Tracker Issue Security Analyzer - Show icon in navigator pane
2682304 CFB-4130054 Security Code Analyzer David Epler Security Analyzer - Show icon in navigator pane Related Bugs:
4146775 - Similar to ColdFusion Builder
Currently if a file has an issue it is only identifiable from the the security analyzer pane.
An indicator should also be shown
Tracker Issue Security Analyzer: ER for the Generated Report
2682331 CFB-4116590 Security Code Analyzer Security Analyzer: ER for the Generated Report Problem:
1. Should add the time details inside the report as well.
2. In pie chart, when there is no "Error" in the report, the chart shows "Warning" as 100 %, which is valid. But at the same time simply
Tracker Issue Security Analyzer Reports hardcode image paths
2682300 CFB-4130058 Security Code Analyzer Peter Freitag Security Analyzer Reports hardcode image paths Problem Description: The report only looks corrent when viewed on the machine that generated it, or on computers that have installed builder at the same path. You will find the image paths hard
Tracker Issue Security report doesn't list the line #s.
2682265 CFB-4130102 Security Code Analyzer Raymond Camden Security report doesn't list the line #s. The security report should show line #s. Yes you get markers in the file, but the table of results should tell you the line number.
----------------------------- Additional Watson Details
Tracker Issue Security Analyzer - Incorrect SQLi
2673360 CF-4126698 Security Analyzer David Epler Security Analyzer - Incorrect SQLi The security analyzer incorrectly identifies attached code as having a SQLi where the variable is completely controlled through the code
Security Analyzer should understand the context of variables
Tracker Issue Security Analyzer - case sensitivity for <cfqueryparam>
2673451 CF-4126536 Security Analyzer David Epler Security Analyzer - case sensitivity for Testing sample source code that had the following:
update comments set
subscribe = 0,
followup = 0
where commentid =
The security analyzer flagged it SQLi, Error, High. There is not SQLi
Tracker Issue Requirement of a Progress Bar in the Builder IDE, to show the status of the Security Analyzer scan.
2682314 CFB-4121267 Security Code Analyzer Requirement of a Progress Bar in the Builder IDE, to show the status of the Security Analyzer scan. Problem:
Requirement of a Progress Bar in the Builder IDE, to show the status of the Security Analyzer scan.
Method:
We should consider implementing a
Tracker Issue Security Analyzer - Show full path & filename
2682302 CFB-4130056 Security Code Analyzer David Epler Security Analyzer - Show full path & filename The security analyzer pane in Builder only shows the filename of the file and not the complete path. This makes it difficult to know where the file with the issue when scanning directory
2682275 CFB-4130092 Security Code Analyzer Aaron Neff [ANeff] Bug for: Security Analyzer fails for CFB virtual host Security Analyzer fails to run if the project's server is a CFB virtual host. Doesn't matter if the CF server is local or remote. Example:
CF Servers view
Tracker Issue Security Analyzer - Unnamed Application and <cfsilent>
2673454 CF-4126533 Security Analyzer David Epler Security Analyzer - Unnamed Application and Using LitePost (https://github.com/dcepler/litepost) as example code to test.
In the Model Glue variation of LitePost, the Security Analyzer is flagging Application.cfm as not being within a named
Tracker Issue Disable Mutliple Request : Triggering security analyzer scan more than once should not be allowed .
2682316 CFB-4121217 Security Code Analyzer Disable Mutliple Request : Triggering security analyzer scan more than once should not be allowed . Problem:
Disable Mutliple Request : Triggering security analyzer scan more than once should not be allowed .
Method:
Until and unless first scan request
2682180 CFB-4166790 Security Code Analyzer Muraoka Shigeyoshi (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) Problem Description:
After applying CFBuilder Update 2, charts are not displayed in Security Analyzer Report.
The issue occurs only in Japanese Cold
2682235 CFB-4139440 Security Code Analyzer NPE on right click when no row is selected in Security Analyzer view Problem:
in security analyzer view, right click is supported and it shows menu according to row selected.
in case no row is selected, it throws NPE
to repro:
1. run sa
2. close SA view
3
2682250 CFB-4135074 Security Code Analyzer Clear Security Markers should remove the markers when run over multiple folders Problem:
Method:
steps to reproduce :
1. Select two folder which have vulnerability in both the folder
2. Vulnerability will get displayed once the scan is over
3. Select
2682291 CFB-4130071 Security Code Analyzer Peter Freitag Security Analyzer Fails Silently when not using builtin server Problem Description:
When you have a server setup with secure profile and try to use the security analyzer with it, the security analyzer fails silently. The request to the CF
Tracker Issue Security Analyzer and dbtype="query" within cfquery
that these errors should show in the security analyzer results. Attached is an image that shows a cfquery and the sort and order parts will display as errors within the security analyzer.
Steps to Reproduce:
1. Use dbtype="query" via the cfquery tag and have code like pictured in the image
2. Run security
Tracker Issue Security Analyzer - Unnamed Application and Fusebox
2673453 CF-4126534 Security Analyzer David Epler Security Analyzer - Unnamed Application and Fusebox Using LitePost (https://github.com/dcepler/litepost) as example code to test.
In the Fusebox variations of LitePost, the Security Analyzer is flagging Application.cfm as not being within a named
2682245 CFB-4138258 Security Code Analyzer When "Unscanned Files" pane is empty, an unhanded exception is thrown if "Clear Security Markers" is run. This results in Security Analyzer pane not being cleared. Duplicate ID: 4138321 ColdFusion Builder
Problem:
Method:
Steps to repro issue :
1, Run
2682414 CFB-4102076 Security Code Analyzer In IE browser , icons are not properly displayed in exported report Problem:
Method:
Steps to Reproduce :
1. Run security analyzer on vulnerable codes
2. Click on export icon
3. open report.html in IE browser
4. Check Fixed , To fix , Ignored icon
2673452 CF-4126535 Security Analyzer David Epler Security Analyzer - incorrect flagging of method="post" on Using LitePost (https://github.com/dcepler/litepost) as example code to test.
Security Analyzer is flagging fusebox/home/entry/comment/dsp_commentForm.cfm with a warning, low for getvspost
2682303 CFB-4130055 Security Code Analyzer Peter Freitag Security Analyzer Times out after 30 seconds, unable to scan large dir Problem Description: I tried running a scan on an application with 900 files. The security analyzer times out after 30 seconds saying "Error message from the server. Read
Tracker Issue Column sort doesn't work in "Unscanned File" pane.
2682240 CFB-4139323 Security Code Analyzer Column sort doesn't work in "Unscanned File" pane. Problem:
Column sort doesn't work in "Unscanned File" pane.
Method:
Result:
Expected:
Workaround:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID
Tracker Issue [ER] Filename search and sorting should be implemented in the Unscanned file pane view
2682241 CFB-4138875 Security Code Analyzer [ER] Filename search and sorting should be implemented in the Unscanned file pane view Problem:
Method:
Filename search and sorting should be implemented in the Unscanned file pane view
Result:
Expected:
Workaround
Tracker Issue Issues in the 'Unscanned Files' view.
2682246 CFB-4138072 Security Code Analyzer Issues in the 'Unscanned Files' view. Problem:
Issues in the 'Unscanned Files' view.
Method:
The following scenarios are not working in the 'Unscanned Files' view :
1)On clicking a file, it does not open in the file editor view.
2)On clicking the column
2682258 CFB-4131035 Mukesh K. Verified the fix in build#298421 .Message displays as :
Server error: Security Code Analyzer is not available in this edition of the ColdFusion server
Tracker Issue Security Analyzer - Secure with Credentials
incorrectly where the security analyzer could be exposed to an attacker to run and profile the code making it easier to attack.
The security analyzer should be secured with either admin or rds username and passwords.
----------------------------- Additional Watson Details
2673455 CF-4126531 Security Analyzer David Epler Security Analyzer - Incorrect flagging SQLi (BlogCFC - blog.cfc) Using BlogCFC as example code.
The Security Analyzer is incorrectly flagging the use of the variable posted in getActiveDays() method within org/camden/blog/blog.cfc. The variable
2682227 CFB-4147846 Security Code Analyzer [ER] Unscanned File pane layout design should contain Tree Viewer structure Problem:
Method:
Unscanned File pane layout design should be similar to security analyzer view in order to incorporate the different segments of invalid file , encripted file
Tracker Issue Security Analyzer - addtoken and Secure Profile
2673382 CF-4126665 Security Analyzer David Epler Security Analyzer - addtoken and Secure Profile The behavior for addtoken in changes if Secure Profile is enabled or not. As the security analyzer is currently implemented it has no knowledge if the code will be deployed to a server with Secure
Tracker Issue Security Analyzer - CGI scope is not "Safe"
2673376 CF-4126678 Security Analyzer David Epler Security Analyzer - CGI scope is not "Safe" When running the security analyzer across attached code it should flag the use of CGI.HTTP_USER_AGENT in line 1 as XSS and line 4 as SQLi.
There are numerous items populated into CGI scope that come
Tracker Issue Add Detailed JSON file to report export
2682301 CFB-4130057 Security Code Analyzer Peter Freitag Add Detailed JSON file to report export When you export a report it generates a nice HTML report but it would be very useful if it also dumped a JSON file in there (with all the details of the vulnerabilities found, file paths, etc) so you
Tracker Issue Security Analyzer - CSRF Attack detection does not work
2673381 CF-4126667 Security Analyzer David Epler Security Analyzer - CSRF Attack detection does not work Related Bugs:
CF-4080920 - Similar to
The CSRF Attack detection for the security analyzer does not work according to the documentation.
Attached code samples have the correct usage
Tracker Issue Can't resize/adjust security repor
2682266 CFB-4130101 Security Code Analyzer Raymond Camden Can't resize/adjust security repor Duplicate ID: 3982669 ColdFusion Builder
The Security Report panel should be resizeable internally. Specifically the left panel which is large and takes a lot of space. Screen shot:
https
Tracker Issue Text in 'task completed' window is weird
2682280 CFB-4130083 Security Code Analyzer Raymond Camden Text in 'task completed' window is weird I just did a scan and the result was a pop up that said:
"Security analyzer task completed. To correct the squiggly line, select insert spaces
for tabs option from Editor > General > Text Editors
Tracker Issue Mapped Drive and Server Drive Must Match
2682311 CFB-4126170 Security Code Analyzer STEPHEN WALKER Mapped Drive and Server Drive Must Match We setup a new development server and developers are required to map to their specific folder. The folders are located on the F drive, but if a user maps to a drive other than F, the security
2682258 CFB-4131035 Security Code Analyzer Check for Coldfusion Enterprise server needs to be corrected . Getting an incorrect alert message while running SA on inbuilt server (Developer edition) Problem:
Method:
Steps to reproduce :
1. Install CFB2016 with serial key .
2. Run SA over project
Analyzer
2) See timeout error thrown
3) Increase RDS timeout
4) repeat 1-3 a few times
So.. imagine multiple developers simultaneously trying to analyze their code against the same CF server. I can bring mine to 100% CPU w/ just 2-3 requests.
This isn't good b/c Security Analyzer isn't supported against
Tracker Issue Enhancement Request: CFQuery Analyzer
2673348 CF-4126711 Security Analyzer Travis Walters Enhancement Request: CFQuery Analyzer I love the "Security Analyzer" and it sort of gave me an idea for a new feature in Blizzard - a "CFQuery Analyzer" to find common performance pitfalls.
#1 - I have seen some inexperienced Cold
Tracker Issue [ANeff] Bug for: Code Analyzer doesn't notify about cflocation's addtoken default value change
[ANeff] Bug for: Code Analyzer doesn't notify about cflocation's addtoken default value change
Tracker Issue Security scanner: incorrect analysis
2673368 CF-4126688 Security Analyzer Adam Cameron Security scanner: incorrect analysis I put this code through the security scanner:
unscopedMessage = "hi";
writeOutput(unscopedMessage);
variables.scopedMessage = "hi";
writeOutput(variables.scopedMessage);
variables
Tracker Issue Null pointer exception thrown while running Security Analyzer repeatedly over same files
2682249 CFB-4135106 Security Code Analyzer Null pointer exception thrown while running Security Analyzer repeatedly over same files Problem:
Method:
Steps to reproduce ;
1. Scan vulnerable file
2. Run Clean security scan over same files
3. Run security analyzer over the same files
Result
Tracker Comment Comment on Installer points to a failing page: adobe.com/go/cfb2018_exp_std_features by Charlie A.
5472380 CFB-4198446 Charlie A. Yep, Legorol. I suspect the list on that doc page is one that's been brought forward from older releases, so may mention things perhaps no longer in CFB (like this "code insight" reference) or things added recently (and not supported by Express) like the security code
Tracker Comment Comment on Security Analyzer Fails Silently when not using builtin server by CFwatson U.
in the code since the report is empty. Date Added :2016-01-13 21:07:06.0
Added By:prk Note Added: Security Analyzer module can be invoked only in development profile, assuming projects with security issues will not be moved to "security production profile". Hence, the secure profile is not enabled
Tracker Comment Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Tracker Issue Security scanner false positive and mixed messaging
2673367 CF-4126689 Security Analyzer Adam Cameron Security scanner false positive and mixed messaging Consider this code:
files = directoryList(expandPath( ’./hardcodedSubDirectory/’ ));
The two statements are:
a) analogous;
b) as far as I can tell pose no risk
However the *first* line
2682255 CFB-4131907 Security Code Analyzer Builder needs to show the files separately or in the same view with one more column describing if file belongs to INVALIDFILE or CANNOTPARSE category. Related Bugs:
CF-4126394 - Similar to
CF-4126394 - Similar to
Problem:
Builder needs to show the files
Tracker Issue Code Analyzer Migration Tool Update
Code Analyzer Migration Tool Update
Tracker Comment Comment on [ANeff] ER for: use EFR for API Manager and Security Analyzer by External U.
Comment on [ANeff] ER for: use EFR for API Manager and Security Analyzer by External U.
Tracker Comment Comment on [ANeff] Bug for: Security Analyzer extremely high CPU usage by Awdhesh K.
Comment on [ANeff] Bug for: Security Analyzer extremely high CPU usage by Awdhesh K.
Tracker Issue Code Analyzer Migration Tool Update 2
Code Analyzer Migration Tool Update 2
Tracker Issue Security scanner SQLi odd guidance
2673375 CF-4126680 Security Analyzer Adam Cameron Security scanner SQLi odd guidance
INSERT INTO someTable (
uuid
)VALUES(
’#createUuid()#’
)
SELECT ’#createUuid()#’ AS uuid
FROM someTable
The first INSERT just gets a warning; the first SELECT gets an error (if anything... should
2673677 CF-4118885 Security Analyzer Aaron Foote [AF] - Security Analyiser - Incorrect support for depreciated cfform The security Analyizer's CSRF functionally ONLY works on CFForm
- CFFORM is depreciated and should not be receiving new features
- As CFFORM is depreciated it should
Tracker Issue Security Analyzer - Should be POST only
Security Analyzer - Should be POST only
Security Analyzer XSS Warning on XmlFormat HTMLEditFormat
Tracker Issue Security Analyzer - Cookies in cfscript
Security Analyzer - Cookies in cfscript
Security Analyzer - Better information for HTMLEditFormat
:44:01.0
Added By:prk Note Added: Hi Raymond,
When we run security code analyzer in editor, some times you can see the squiggly lines for the vulnerabilities moving to different or inappropriate lines. That is because, the editor is considering one tab space as 4 space.
So the prompt asks for selecting "insert
2673317 CF-4126912 Security Analyzer David Epler Inconsistent XSS markings for built-in-functions (BIF) that return integers Duplicate ID: CF-4126413
Problem Description:
Given the code:
#ceiling(url.id)#
#floor(url.id)#
#round(url.id)#
Actual Result:
The security analyzer marks the lines
Tracker Comment Comment on Stop Encrypting the Administrator Code by External U.
Comment on Stop Encrypting the Administrator Code by External U.
Tracker Comment Comment on Code Analyzer False Negative by CFwatson U.
Comment on Code Analyzer False Negative by CFwatson U.
Code Analyzer on Splendor cfusion wwwroot fails with 481 errors
Tracker Comment Comment on Code Analyzer False Negative by S P.
Comment on Code Analyzer False Negative by S P.
False Positive for CFCollection "path" Attribute on Code Analyzer
Tracker Comment Comment on Code Analyzer False Negative by CFwatson U.
Comment on Code Analyzer False Negative by CFwatson U.
Tracker Comment Comment on Code Analyzer Migration Tool Update by CFwatson U.
Comment on Code Analyzer Migration Tool Update by CFwatson U.
Tracker Comment Comment on Code Analyzer False Negative by CFwatson U.
Comment on Code Analyzer False Negative by CFwatson U.
Tracker Comment Comment on Code Analyzer Migration Tool Update by CFwatson U.
Comment on Code Analyzer Migration Tool Update by CFwatson U.
Tracker Comment Comment on Code Analyzer False Negative by CFwatson U.
Comment on Code Analyzer False Negative by CFwatson U.
Security Analyzer (Update 2) - Misidentifying "Encrypted" files
Security Analyzer Does not warn about CFMX_COMPAT algorithms
Security Analyzer - Requires Server install as Trial/Enterprise
Tracker Issue Security Analyzer says encoded files have syntax errors
Security Analyzer says encoded files have syntax errors
Security Analyzer - Does not flag incorrect EncodeFor Contexts
Tracker Issue Security Analyzer - Need top honor more cfparam types
Security Analyzer - Need top honor more cfparam types
Security Analyzer - Fails to detect variables in struct notation
Security Analyzer - Does not detect missing method on
Tracker Comment Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Tracker Comment Comment on Expose CFML code parsing rules in a open source and consumable way by External U.
2608688 CF-4023312 External U. The code analyzer already exists, it shouldn't be too hard to open that out and allow custom rules etc. The big win here I see is security scans, to look out for known vulnerability paths, enforce owasp top 10 etc
Would love this. I think it would open a lot up
Comment on Security Analyzer - addtoken and Secure Profile by External U.
). If we provide line number as a column in the security analyzer view and we don't update it then the double click would take me to the new line number whereas the line number column would contain the old line number. This results in an inconsistent state. Thus, we have to update the security analyzer
Tracker Issue Stop Encrypting the Administrator Code
2609632 CF-3818547 Administrator Adam Tuttle Stop Encrypting the Administrator Code Over the years, the majority of security issues for ColdFusion have been somewhere inside the /CFIDE/ and /CFIDE/Administrator/ folders. It's time to stop encrypting these. What is the point, anyway? If you decrypt
Tracker Comment Comment on Code Analyzer Migration Tool Update 2 by External U.
Comment on Code Analyzer Migration Tool Update 2 by External U.
Tracker Comment Comment on Code Analyzer on Splendor cfusion wwwroot fails with 481 errors by HariKrishna K.
Comment on Code Analyzer on Splendor cfusion wwwroot fails with 481 errors by HariKrishna K.
[ANeff] Bug for: Code Analyzer doesn't warn when assigning local to non-struct
Tracker Comment Comment on Code Analyzer Migration Tool Update 2 by External U.
Comment on Code Analyzer Migration Tool Update 2 by External U.
Tracker Issue The Code Analyzer in ColdFusion11 wrongly reports GetMetaData as a new function when analyzing CF8.0 code
The Code Analyzer in ColdFusion11 wrongly reports GetMetaData as a new function when analyzing CF8.0 code
Tracker Comment Comment on Code Analyzer on Splendor cfusion wwwroot fails with 481 errors by External U.
Comment on Code Analyzer on Splendor cfusion wwwroot fails with 481 errors by External U.
Tracker Comment Comment on Code Analyzer Migration Tool Update 2 by CFwatson U.
Comment on Code Analyzer Migration Tool Update 2 by CFwatson U.
Tracker Comment Comment on Code Analyzer Migration Tool Update 2 by CFwatson U.
Comment on Code Analyzer Migration Tool Update 2 by CFwatson U.
Tracker Comment Comment on The Code Analyzer in ColdFusion11 wrongly reports GetMetaData as a new function when analyzing CF8.0 code by External U.
Comment on The Code Analyzer in ColdFusion11 wrongly reports GetMetaData as a new function when analyzing CF8.0 code by External U.
Comment on Security Analyzer - Secure with Credentials by External U.
[ANeff] ER for: use EFR for API Manager and Security Analyzer
Comment on Security Analyzer - Better information for HTMLEditFormat by External U.