tracker issue : CFB-4130071

select a category, or use search below
(searches all categories and all time range)

Security Analyzer Fails Silently when not using builtin server

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Peter Freitag / Peter Freitag (Peter Freitag)

Created: 03/18/2016

Components: Security Code Analyzer

Versions: 2016

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Beta2_v31 / (in b

Priority/Frequency: Minor / Some users will encounter

Locale/System: English / Win All

Vote Count: 0

Problem Description:

When you have a server setup with secure profile and try to use the security analyzer with it, the security analyzer fails silently. The request to the CF server was sent by builder but results in a 404.

Steps to Reproduce:

I installed Raijin server using secure profile, then installed Blizzard on the same serevr and did not check the box to install a builtin ColdFusion server with Blizzard.

In Blizzard I added a local server mapping pointing to my existing Raijin server. I then right clicked on a file with an obvious SQL injection vulnerability. 

No errors are reported and the security analyzer reports 0 issues.

Actual Result:

When I run security analyzer nothing happens no error is reported and  the user may think that there are no security issues in their code.

Expected Result: 

Expect an error to say security analyzer is not enabled or available on your ColdFusion server.

Any Workarounds:


----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4130071

External Customer Info:
External Company: Foundeo Inc.
External Customer Name: Peter Freitag
External Customer Email: PETE@FOUNDEO.COM
External Test Config:



Added By:prk Note Added: Getting proper error message, when profile is pointed to production, secure and development. Fix will be available from next major release. Thanks, Priyatharsini Date Added :2016-01-25 07:17:09.0 Added By: PreRelease User User Name:Peter Freitag Note Added: That is understood and I'm glad it only works in development profile. But... The bug is that Builder just fails silently in this case. It should say that it failed (gets a 404). Instead it leaves the user with an empty report, the user will assume that there are no security issues in the code since the report is empty. Date Added :2016-01-13 21:07:06.0 Added By:prk Note Added: Security Analyzer module can be invoked only in development profile, assuming projects with security issues will not be moved to "security production profile". Hence, the secure profile is not enabled for "secure profile". Date Added :2016-01-13 02:57:46.0 Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-01-08 19:48:11.0
Comment by CFwatson U.
26555 | March 18, 2016 05:24:32 AM GMT