A static code analysis tool for CFML.
License: BSD
Current Version: 1.5.x
See CHANGELOG.md for further information.
CFLint is a project developed and worked on by volunteers. When logging issues please, be nice and considerate. We're here to help. We really appreciate fixes and improvements, so feel free to talk to us and/or provide pull requests.
/src/main contains the source code. Tests can be found in /src/test. CFLint relies heavily on the CFParser project as well as a bunch of third-party Java libraries.
The master branch is considered our stable codebase. Most of the development happens in the dev branch resp. local development branches for specific issues.
-
Fork the repository into your account and clone or download the codebase as a zip-file.
-
Install the tooling of your choice and build via Gradle or Maven (deprecated). CFLint requires Java 8.
a. Gradle: execute
gradlew buildin the cflint directory
b. Maven: execute
mvn clean installin the cflint directory
Alternatively, import the CFLint codebase into the IDE of your choice and use its respectively Gradle/Maven integration. This should work out of the box for Eclipse and IntelliJ users.
Get the latest version from Maven Central or the CFLint GitHub release page or build the project.
If you want to use CFLint from within another Maven project, use:
<dependency>
<groupId>com.github.cflint</groupId>
<artifactId>CFLint</artifactId>
<version>1.4.0</version>
</dependency>Or always use the latest:
<dependency>
<groupId>com.github.cflint</groupId>
<artifactId>CFLint</artifactId>
<version>LATEST</version>
</dependency>With the binaries retrieved one or the other way, you can now use CFLint on the command line.
CFLint-1.5.0-all.jar
java -jar CFLint-1.5.0-all.jar -folder <baseFolder>
java -jar CFLint-1.5.0-all.jar -file <fullPathToFile>
java -jar CFLint-1.5.0-all.jar -help
Note: This is a work in progress, we're currently collating information from a variety of sources.
The simplest options for executing CFLint is via the command line. CFLint currently has a UI mode (triggered by -ui on the command line) which will be removed by the latest for CFLint 2.0 - see Issue #316. If you rely on the UI mode, you're unfortunately on your own - no more work will go into this from here onwards.
Alternatively to the command line, you can put .cflintrc files into certain directories. Configuring CFLint this way conceptually allows you to run specific rules in specific parts of your application.
CFLint currently supports JSON- and XML-based configuration. XML-based configuration is deprecated in CFLint 1.3.0 and will be removed in CFLint 2.0.
When CFLint executes, it scans and parses your code (using CFParser). The syntax tree is then being examined against a set of built-in rules.
In CFLint, those rules are called and implemented as plugins (they live in /src/main/java/com/cflint/plugins). By default, all rules will be used against your codebase. This is what a lot of people will do, but using configuration allows you to build a custom scenario to test your code against. See RULES.md for more information on rules and their meaning.
CFLint is opinionated and every release after 1.3.0 will never scan in directories starting with a . to prevent wasting time of hidden directories such as build configuration, module/library storage or version control information.
The default and global configuration file is /src/main/resources/cflint.definition.json. Common usage of CFLint usually does not require replacing this file.
Putting a .cflintrc file into a directory allows you to specify certain rules that should be executed for this directory and its children. Additionally, you can specify a handful of other properties.
An example .cflintrc file is shown below:
{
"rule": [ ],
"excludes": [ ],
"includes": [ {
"code": "FUNCTION_HINT_MISSING"
} ],
"inheritParent": false,
"parameters": { }
}-
ruleallows you add a plugin for this folder that is not listed in the global configuration. SeeruleImplincflint.definition.jsonfor examples. -
excludesandincludesallow you to specify an array of objects describing rules you want to be applied for this directory and its children. In the example above, the only rule to be checked for will be FUNCTION_HINT_MISSING. -
inheritParentconfigures if the rules set in the global or any parent configuration should be inherited as a base set of rules. -
parametersallows configuration of rules. See RULES.md for the parameters of each rule and their defaults. You must precede the parameter name with the rule name separated by a dot. -
Please note:
inheritPluginsandoutputwere marked deprecated in CFLint 1.2.0 and removed in 1.4.0. Plugin inheritance is now always treated as true since the team cannot see a use case in which it should be disabled. The output type can be controlled elsewhere, such as command-line flags.
We provide a schema with the deprecated properties excluded.
See Recipes for some usage examples of .cflintrc. Example files can be found by browsing the project test files.
Quite often there are scenarios in which you would generally want to run a certain set of rules against your code but in specific cases need to ignore an otherwise valid violation.
A common example are violations of CFQUERYPARAM_REQ that can't be fixed by applying <cfqueryparam> because your DB server doesn't allow params in certain positions (for instance in a SELECT something FROM #application.config.linkedServerName#.DefaultDatabase.dbo.Comment scenario). See Issue #282 for more examples.
CFLint offers an annotation-based configuration to deal with this and similar scenarios. Annotations can be placed on the component- or function-level in a CFC or inline with code.
<!---
@CFLintIgnore SOMETHINGELSE,MISSING_VAR,ANOTHERTHINGTOIGNORE
--->
Ignoring all rules on the current line:
//cflint ignore:line
Ignoring a specific rule (or a comma-separated list of rules) on the current line:
//cflint ignore:MISSING_VAR
Multiline ignore annotation:
/*
@CFLintIgnore SOMETHINGELSE,MISSING_VAR,ANOTHERTHINGTOIGNORE
*/
Within SQL, you can also use
<!--- @CFLintIgnore CFQUERYPARAM_REQ --->
to ignore a rule violation on the next line.
Configuration of which plugins are run and which rules are included starts with the global configuration and flows through the command line parameters, folder level rules, and down to the annotations within the source.
- global configuration
- custom configuration file (
-configfile, we do not encourage this option to be used in day-to-day operations of CFLint) - rule groups (
-rulegroups, default behavior is --rulegroups !Experimental) - includes/excludes from the command line (
-includeRuleand-excludeRule) - .cflintrc - folder level configuration, mostly for including/excluding specific messages
- annotations - explicitly exclude messages in the source code at the tag or line level.
The configuration rule that is closest to the rule is the one that takes effect.
- If an annotation excludes a message, it will not fire regardless of any configuration above it.
- If you exclude a rule at the command line level, but a
.cflintrcadds it back in, it will fire for source files in that part of the source tree. - If you are passing in multiple parameters at the command line level, in Windows Powershell the parameters must be included in "double quotes", e.g.
-includeRule "MISSING_VAR,CFQUERYPARAM_REQ"
CFLint supports a variety of reporting and output options that you can control via command-line flags. Beyond the targeted output formats of Text, XML, JSON or HTML you can also run CFLint with options for quiet, verbose and debug output.
If no targeted output format is specified at all, CFLint will default to creating an HTML report in the file cflint-result.html.
You can force CFLint's output behavior to stdout and stderr by specifying options for quiet, verbose and debug. If you do not specify either, CFlint will return basic internal information and error output to stdout and stderr.
Quiet mode (-quiet <boolean>) suppresses most of the output CFLint would otherwise create during linting. This might contain actual errors and exceptions but also information like the termination of recursive template parsing or certain configuration issues. Do not run quiet mode if you likely will need assistance with error messages or want to understand better what CFLint is doing.
This is the minimum output mode you can run CFLint in and the feature was originally inspired by Issue #4.
There might be occasional messages from CFParser and ANTLR being pushed into stderr at this stage - even though CFlint runs in quiet mode. This is a known issue and will be addressed in the future.
Verbose mode (-verbose <boolean>) enables verbose linting output. This contains information on selected output formats and configuration files being found and processes during linting as well as the currently processed file CFLint is working on (showing only files that are actually scanned).
If you want more information about the inner workings of CFLint during execution, verbose mode is the minimum you should run CFLint in.
Debug mode (-debug <boolean>) enables debug output. Debug mode implies verbose mode but adds additional information such as the parser tokens and every processed file (regardless of being supported by your or the default extension list) into the output streams.
It is possible to switch on and run quiet, verbose and debug modes together at the same time. This is partly intended as you might not want to see error information being suppressed by quiet mode, but still want so see certain information being shown in verbose mode. Please take this behavior with a grain of salt though - there might be the odd scenario in which combining -quiet, -verbose and -debug causes unusual output.
The exception is debug mode. In debug mode, CFLint will always ignore user settings for verbose and quiet and set verbose to true and quiet to false.
The flag -html instructs CFLint to create an HTML document. The full syntax is:
-html -html <outputFileName>
The flag -xml instructs CFLint to create XML. There are two options for XML reporting.
The first option is what we call CFLint XML. It's an internal format that adheres to a basic schema provided here. You could then use this format as-is or to do further processing of your choice.
The second option is FindBugs XML. The resulting XML document adheres to the current version of the FindBugs BugCollection XML Schema Definition and can be used in most CI-/Build-Server products. JetBrains TeamCity 10+ can import this format out of the box.
Please note: Currently it's not possible to produce BOTH flavors of XML reports at the same time. This is a known limitation. This limitation will be removed as part of CFLint 2.0 (see Issue #331).
To create CFLint XML provide the following command-line arguments:
-xml -xmlstyle cflint -xmlfile <outputFileName>
Example of CFLint XML:
<?xml version="1.0" encoding="UTF-8" ?>
<issues version="1.2.1" timestamp="1500107134">
<issue severity="WARNING" id="CFQUERYPARAM_REQ" message="CFQUERYPARAM_REQ" category="CFLint" abbrev="CR">
<location file="/Users/kai/Documents/Code/paypal.cfc" fileName="paypal.cfc" function="doSomething" column="0" line="325" message="<cfquery> should use <cfqueryparam/> for variable 'arguments.PaymentType'." variable="arguments.PaymentType">
<Expression><![CDATA[<cfquery name="doPayment" datasource="#paymentDatasource#">...some more Details...]]></Expression>
</location>
</issue>
<issue severity="WARNING" id="CFQUERYPARAM_REQ" message="CFQUERYPARAM_REQ" category="CFLint" abbrev="CR">
<location file="/Users/kai/Documents/Code/paypal.cfc" fileName="paypal.cfc" function="doSomethingElse" column="0" line="432" message="<cfquery> should use <cfqueryparam/> for variable 'arguments.something'." variable="arguments.something">
<Expression><![CDATA[<cfquery name="doPayment" datasource="#paymentDatasource#">...some more Details...]]></Expression>
</location>
</issue>
...
<counts totalfiles="108" totallines="55596">
<count code="CFQUERYPARAM_REQ" count="39"></count>
<count severity="WARNING" count="39"></count>
</counts>
</issues>To create FindBugs XML provide the following command-line arguments:
-xml -xmlstyle findbugs -xmlfile <outputFileName>
The FindBugs XML format is currently created using an XSLT document, transforming the CFLint report to FindBugs XML (/src/main/resources/findbugs/cflint-to-findbugs.xsl).
JSON output can be created with
-json -jsonfile <outputFileName>
Example of CFLint JSON:
{
"version" : "1.2.1",
"timestamp" : 1501202128,
"issues" : [ {
"severity" : "ERROR",
"id" : "MISSING_VAR",
"message" : "MISSING_VAR",
"category" : "CFLINT",
"abbrev" : "MV",
"locations" : [ {
"file" : "src/test/resources/com/cflint/tests/Ignores/ignoreCFMLAny2.cfc",
"fileName" : "ignoreCFMLAny2.cfc",
"function" : "testFunction",
"column" : 6,
"line" : 14,
"message" : "Variable someVar is not declared with a var statement.",
"variable" : "someVar",
"expression" : "someVar"
} ]
} ],
"counts" : {
"totalFiles" : 7,
"totalLines" : 49,
"countByCode" : [ {
"code" : "MISSING_VAR",
"count" : 1
} ],
"countBySeverity" : [ {
"severity" : "ERROR",
"count" : 1
} ]
}
}The JSON schema is available here.
Plain text output can be created with
-text -textfile <outputFileName>
Example of plain text output:
Issue
Severity:WARNING
Message code:CFQUERYPARAM_REQ
File:/Users/kai/Documents/Code/paypal.cfc
Column:0
Line:79
Message:<cfquery> should use <cfqueryparam/> for variable 'arguments.something'.
Variable:'arguments.something' in function:
Expression:<cfquery name=\"qry\" datasource=\"#variables.dsn#\" cachedwithin=\"#createTimeSpan(0,0,arguments.cacheInMins,0)#\">\r\n...some Details...
Severity:WARNING
Message code:CFQUERYPARAM_REQ
File:/Users/kai/Documents/Code/paypal.cfc
Column:0
Line:145
Message:<cfquery> should use <cfqueryparam/> for variable 'arguments.something'.
Variable:'arguments.something' in function:
Expression:<cfquery name=\"qry\" datasource=\"#variables.dsn#\" cachedwithin=\"#createTimeSpan(0,0,arguments.cacheInMins,0)#\">\r\n...some Details...
...
Total files:108
Total lines:55690
Issue counts:1
CFQUERYPARAM_REQ:4
Total issues:4
Total warnings:4
To interact directly with CFLint within the JVM use the CFLint API.
import com.cflint.api.CFLintAPI;
import com.cflint.api.CFLintResult;
CFLintAPI api = new CFLintAPI();
CFLintResult result = api.scan(filename);
String jsonResult = result.getJSON();For Jenkins, please look at the Jenkins/Hudson plugin mentioned further below.
JetBrains' TeamCity has support for FindBugs XML code inspection reports. They can be produced out of the box with CFLint from 1.2.0 onwards (see above in the FindBugs XML section).
There is support for SonarQube through StepStone's Sonar ColdFusion plugin mentioned further below.
For Azure DevOps/TFS, please look at the Azure Pipeline/TFS Build extension mentioned further below.
There's an NPM wrapper for CFLint below. Please be aware that the wrapper seems to come with its own bundled CFLint binary which might not be up-to-date, which is outside of our control.
Other products in the integration/build server category might work, too. If you're using a specific product that works for you with CFLint, please let us know. If you can't get CFLint to work in an environment you use, please let us know as well - we might be able to help.
There are several IDE integrations for CFLint that are available. Below are some brief descriptions, but if you'd like to know more, see Interesting third-party projects.
There is IDE support for Sublime Text 3 through a third-party project utilizing SublimeLinter.
There is also support for Adobe ColdFusion Builder through a third-party project. Users of CFBuilder, please also see the discussion in Issue #327.
Users of Atom can integrate via AtomLinter through a third-party project.
An extension for Visual Studio Code is also available as a third-party project.
Support for JetBrains' IntelliJ is available as third-party plugin.
package com.cflint.plugins.core;
import net.htmlparser.jericho.Element;
import cfml.parsing.cfscript.script.CFFuncDeclStatement;
import cfml.parsing.cfscript.script.CFFunctionParameter;
import cfml.parsing.cfscript.script.CFScriptStatement;
import com.cflint.BugList;
import com.cflint.plugins.CFLintScannerAdapter;
import com.cflint.plugins.Context;
import com.cflint.tools.CFTool;
public class ArgDefChecker extends CFLintScannerAdapter {
@Override
public void expression(final CFScriptStatement expression, final Context context, final BugList bugs) {
if (expression instanceof CFFuncDeclStatement) {
final CFFuncDeclStatement function = (CFFuncDeclStatement) expression;
for (final CFFunctionParameter argument : function.getFormals()) {
// handler.addArgument(param.getName());
final String name = argument.getName();
if (!argument.toString().contains("required") && !argument.toString().contains("=")) {
function.getLine();
function.getColumn();
context.addMessage("ARG_DEFAULT_MISSING", name);
}
}
}
}
@Override
public void element(final Element element, final Context context, final BugList bugs) {
if (element.getName().equals("cfargument")) {
final String name = element.getAttributeValue("name");
final boolean required = CFTool.toBoolean(element.getAttributeValue("required"));
final String defaultExpr = element.getAttributeValue("default");
if (!required && defaultExpr == null) {
element.getSource().getRow(element.getBegin());
element.getSource().getColumn(element.getBegin());
context.addMessage("ARG_DEFAULT_MISSING", name);
}
}
}
}Looking at the function element, the arguments are:
element- the current CFML tagcontext- the current file being checkedbugs- the appending object of violations
The easiest way to achieve this is with a custom .cflintrc file:
The includes field is ignored if it is an empty list, so simply add a single item to it for which nothing matches.
{
"code" : "NOTHING"
}or more simply:
{}The following will ignore all rules in the current folder and below.
{
"rule" : [ ],
"excludes" : [ ],
"includes" : [ {} ],
"inheritParent" : false,
"parameters" : {}
}This can be simplified using the default values of a .cflintrc file:
{
"includes" : [{}],
"inheritParent" : false
}See the discussion in Issue #290 for more info.
Parameters within the rules can be overridden in the .cflintrc files. Use the rule name and the parameter joined with a dot.
{
"parameters" : {
"VariableNameChecker.maxLength": "15"
}
}Supply a cflintexclude.json file in the command line with the -filterFile argument.
To filter out the GLOBAL_VAR messages in the "some\package\location" folder, add the following to cflintexclude.json
[
other exclude rules...,
{"file":".*some\\\\package\\\\location\\\\.*","code":"GLOBAL_VAR"}
]
Note: The back slashes must be escaped twice, once for JSON, once for regular expressions
[
other exclude rules...,
{"file":".*some/package/location/.*","code":"GLOBAL_VAR"}
]
Raise issues here on GitHub and we will look at them.
The CFML Slack team has a #cflint channel you can join and talk to most of the regular contributors and other users.
See CONTRIBUTING.md for further information.
Please note that the majority of the libraries and projects mentioned here are not directly related to and maintained by the CFLint team. Please see the authors and maintainers of the respective project for support using their libraries first.
- Jenkins/Hudson plugin
- Sublime Text package
- ColdFusion Builder extension
- Atom package
- Visual Studio Code extension
- IntelliJ plugin
- Azure Pipeline/TFS Build extension
- SonarQube plugin
- NPM wrapper
- Vim Syntastic support for CFLint
- IntelliJ IDEA Ultimate plugin
If you have been working on (or are thinking about starting) a project related to CFLint, please let us know. We're happy to include relevant third-party projects to the list above.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent