The latest development version of qpScanner is now in SVN at RIAForge.
It would be great if people could test it out and let me know of any issues they encounter.
As before, it is all self-contained, so it can be installed and run with minimal effort.
Note: As this is still the development version, you need to use the zip option at the bottom of the RIAForge page, not the "Download Project" link - the button will only give the old version.
When released, v0.7 will be a significant new version, so here is a quick discussion of the new features
Due to some awful code, v0.6 wasn't very fast - taking approximately 2 minutes to scan 1331 files.
With v0.7 things are much improved, and the same set of files takes 2-3 seconds to scan.
(Obviously performance will vary depending on files scanned plus the machine and CFML engine you use.)
Previously, code such as <cfelseif doSomething("like#this#")> - where hashes are used inside CF tags - was reported as a risk. This has now been fixed, so there should be fewer (if any) false positives.
In addition to HTML output, you can now also specify XML or WDDX, to help handle the results with external tools.
You can now specify a Regular Expression to determine files or directories to exclude.
A bit crude, but it works. I intend to extend this feature in future versions, to allow easier management and skip known metadata (e.g. .svn directories)
With v0.7 you can choose to ignore Query of Queries, which are less likely to be a risk.
You can also choose to ignore functions that return 'safe' values, such as #Now()#, #Val(...)#, #ArrayLen(...)#
It is now possible to override the default Request Timeout setting. If the scanner times out before finishing it will still return what it found up until that point.
This is not yet in SVN, but it will be a part of the final v0.7 release.
I will be writing an entire blog entry about this plugin and my experiences in developing it (my first Eclipse plugin), but to quickly summarise: the plugin will allow you to conveniently scan files, directories, or projects from within CFEclipse, and it will support ad hoc configurations per project to be setup.
I had hoped to have auto-fixing with the next release, but it is not ready yet. Rather than make people wait for the improvements I've already made, I decided I will postpone the autofixing until the following version.
If you have any problems or questions, please add a comment, or visit the QueryParam Scanner project page for contact details.
Nobody has commented on this article yet.