Earlier this week I promoted the release candidate for 0.7.5 of QueryParam Scanner
to full release.
For anyone unaware, QueryParam Scanner is a simple tool for identifying
unparameterised variables in CFML queries (which may indicate a potential SQL
This version has a handful of bug fixes and code cleanups, resulting in faster
more accurate scanning than previous versions, plus the addition of JSON output
format, giving a more lightweight option if used in scripted processes.
For further details on these, see the previous RC article; other than
a couple of trivial fixes and a new readme, nothing has changed since that.
To download the latest version, you can either clone the git repo, or
grab it as a zip archive from the GitHub tags page.
For any feedback, problems, or questions, please use the issue tracker.
I have just pushed an update of QueryParam Scanner to GitHub, containing
This update is on the rc0.7.5 branch, and it'd be nice if people could
take it for a spin and make sure there are no issues with it. (There is a
zip download for anyone without git.)
The visible changes which you might notice are:
- Added JSON output format, giving an alternative to XML for anyone using
qpscanner in a scripted process.
- Added variable for number of potential risk files, and improved related
wording in HTML output.
- Fixed bug where identical queries were causing incorrect line numbers.
- Fixed bug where query names were not being detected.
- Fixed bug where blank lines were incorrectly removed.
However, there are also significant under-the-hood changes. I removed my
obsolete "Java Regex Utils" library (replacing it with the object part of
cfRegex), and made a number of little code clean-ups.
A result of these changes is that qpscanner rc0.7.5 appears to be almost twice
as fast as previous versions.
If you have any feedback, please feel free to contact me via GitHub,
and similarly if you find any bugs then please raise them on the issue tracker.
The first pre-release version of the qpScanner Eclipse Plugin is now available.
This is the very first Eclipse plugin I have created. It was an interesting
experience, and something that I will be writing up in a separate entry as soon
as I can collect my thoughts.
It order to use the plugin, you must be using v0.7 or higher of qpScanner -
if you do not yet have this, you can download the
development version of qpScanner, which contains details of the Update Site
to use. If for any reason you cannot use the regular Eclipse Update method, you
can directly download the qpScanner Eclipse Plugin instead.
Just to be clear, both v0.7 of QueryParam Scanner and v0.1 of the qpScanner
Eclipse Plugin are currently considered development releases, and are being made
available so that they can be tested and any bugs that might exist can be found
- if you are unwilling to use pre-release software you should wait until the
If you do get the Eclipse Plugin, or even just qpScanner on its own, I
welcome any and all feedback you might have - whether to report bugs you have
found, request new features you would like, or simply to let me know that works
with your local setup.
Please send feedback via the GitHub Issue system.
The latest development version of qpScanner is now in SVN at RIAForge.
It would be great if people could test it out and let me know of any issues they encounter.
As before, it is all self-contained, so it can be installed and run with minimal effort.
Note: As this is still the development version, you need to use the zip option at the bottom of the RIAForge page, not the "Download Project" link - the button will only give the old version.
When released, v0.7 will be a significant new version,
so I want to give a quick discussion of the new features...
The code for my QueryParam Scanner
has been uploaded to RIAForge.
QueryParam Scanner is a simple tool which scans your code for queries and
reports back about any variables that are not inside
Download QueryParam Scanner from RIAForge.