How Does Fixinator Work - foundeo/fixinator GitHub Wiki

Fixinator operates in a client / server model. The client gathers the code to scan, sends it to the server and then formats the results. The server does the actual processing of the code to look for issues.

What does the Fixinator Client do?

The fixinator client source code is fully open source and can be found here. The client is packaged such that it can be run from the CommandBox cli, but since it is all written in CFML, you could actually build your own applications or tools that utilize fixinator as well if you wanted to.

  • Run Scan - the client accepts the file path and config.
  • Determine Files - based on the config it builds an array of files to scan
  • Batch Files in to Chunks - the client then creates batches of files that can be sent to the server. The batch is limited to 35 files / 512kb per batch.
  • Batches are sent to a Fixinator server
  • Results are aggregated and displayed in the cli or in a report file.

How many files can I scan with 1000 API Requests?

Each scan request can contain up to 35 files, so the upper limit is 35,000 files scanned with 1000 API requests. However if you have a lot of large files, or you are only scanning one file at a time (and not an entire directory), the minimum number of files scanned with 1000 API requests is 1000 files. So with 1000 API requests you could scan anywhere from 1,000 to 35,000 files.

What does the Fixinator Server do?

Unlike the client, the fixinator server is not open source. You can either use our Hosted / Cloud Based Fixinator server or you can run the server on your own premises with an enterprise license.

  • Server Accepts a Scan Request
  • Parses the CFML and runs it through a number of different scanners
  • Returns scan results as JSON

Does the Cloud Based Server Store My Code?

No, the scanning is done in memory, so it is disposed of once the request completes. Further the Cloud Based server runs in an AWS Lambda serverless architecture. This means that the entire server instance your scan runs on is terminated / recycled / disposed of within an hour or so. Sorry, no offense, but we don't want your code!

The cloud based fixinator server always uses HTTPS allowing for encryption and perfect forward secrecy (depending on the JVM version/config). Further the TLS private key is managed by Amazon AWS Certificate Manager which utilizes best practices for key management and encryption.

Because some organizations such as Government organizations may not allow any assets outside the internal network, we also allow you to run it on your own server - see below.

Can I run fixinator on my own server?

Yes, this requires an Enterprise License.

What are the requirements for running Fixinator on my own server?

Fixinator can run on Lucee 5+ or Adobe ColdFusion 2016, 2018+. It can run on any operating system that CF can run on (Windows, Linux, Mac, etc). There are no external dependencies or databases to setup, just drop a folder in a web root.