Unable to get Veracode to recognise our Lucee WAR files (with compiled Lucee code) as ColdFusion WARs. What Structure Should the WAR have for Veracode to detect it as CF (so cfc/cfm files are scanned)?

We recently migrated from ColdFusion to Lucee , and we have an agreement with Adobe to uninstall ColdFusion from our machines (as the License has expired), so we can’t use cfcompile.exe or CF Admin to package the WAR files .

We have kept the Lucee code as similar to Adobe Coldfusion as possible (so veracode can recognise it as ColdFusion). We also found that commandbox had the capability to do similar to cfcompile.exe but this software is not approved (and we are an enterprise company, so it will take weeks to approve).

As Veracode is a mandatory step in our release process, we need to know if we can structure the WAR in such a way Veracode will recognise it as Adobe ColdFusion.

FYI . the Alternative less efficient approach is to do trial and error (via static scans) to determine how lucee detects the WAR as ColdFusion, hopefully you will have a definitive approach so we don’t have to go down this route.

OS: Windows 10
Java Version: Java 11
Tomcat Version: Tomcat 9
Lucee Version:

This is a Veracode issue as Adobe WAR files are digitally fingerprinted by Adobe and Veracode checks for the finger print among other items.

I would reach out to Veracode support and start the support process to have them support Lucee.

1 Like