YOU ARE HERE: HOMEVeracode Compilation Instructions for ColdFusion

Veracode Compilation Instructions for ColdFusion

This document is for customer licensed Veracode SAST. Last check and update 11-Jan-2018

Required Files

The Veracode Platform requires all binary executables, all required libraries, and the complete debug information for the application.

Supported ColdFusion Versions

Language Platform Version Compiler
ColdFusion Deployed as Java 7, 8, 9, 10, 11 7, 8, 9, 10, 11 (cfcompile.exe)

Compilation Guidance

Veracode analyzes ColdFusion applications that are compiled to Java. This compilation is a two-step process:

  1. Compile ColdFusion code into Java.
  2. Build a Java Web Archive (WAR) file for uploading to Veracode.
To compile your application’s CFML files to Java classfiles, use the cfcompile utility with the -deploy option. On Windows, this utility is generally installed in c:\coldfusion8\bin orc:\coldfusion9\bin. The following is a sample command line for compiling a ColdFusion application to Java:

"c:\coldfusion8\bin\cfcompile" -deploy c:\mycfwebroot c:\mycfapp c:\mycfappbin

This command compiles all cfml files in c:\mycfapp and places them in c:\mycfappbin.

Note: The filenames of the generated classfiles are identical to the source filenames. Ensure the last parameter is a different location than the source directory so that you do not overwrite the source files.

It is also important to note that the cfcompile utility may not correctly process application pathnames with spaces. You may have to rename your application path without spaces for this step to succeed.

Building the compiled ColdFusion application into a WAR file ensures that the Veracode scan engine has the proper context for analyzing your application. To build a WAR file for deployment on an application server:

  1. Log in to ColdFusion Administrator.
  2. Choose Packaging and Deployment > J2EE Archives.
  3. Add a new archive of type WAR. The application directory is the location of the compiled application (c:\mycfappbin in the example above). The distribution directory is where the finished WAR archive will be placed.
  4. Add any related data sources.
  5. Deselect Include CFML Source.
  6. Deselect Include CF Administrator.
  7. Deselect Disable Debugging.
  8. Submit and wait for the WAR packaging to complete.

The resulting WAR file will be fairly large (at least 100MB). Upload the resulting WAR file to the Veracode Platform.