Skip to main content

ColdFusion packaging

Your ColdFusion applications must meet specific compilation requirements before you can submit them for scanning.

See Supported languages and platforms for instructions for other platforms.

Required files

Veracode requires:

  • All binary executables
  • All required libraries
  • The complete debug information for the application

Supported ColdFusion versions

ColdFusionDeployed as Java7–11, 20167–11, 2016 (cfcompile.exe)

Compilation guidance

Veracode analyzes ColdFusion applications you compile into Java. To prepare your application:

  1. Compile the ColdFusion code into Java.
  2. Build a Java Web Archive (WAR) file for uploading to Veracode.

To compile your application CFML files to Java classfiles, use the cfcompile utility with the -deploy option. On Windows, you can usually find this utility installed in c:\coldfusion8\bin or c:\coldfusion9\bin. This sample command line compiles a ColdFusion application to Java:

"c:\coldfusion8\bin\cfcompile" -deploy c:\mycfwebroot c:\mycfapp c:\mycfappbin

This sample command compiles all CFML files in c:mycfapp and places them in c:mycfappbin.


The filenames of the generated classfiles are identical to the source filenames. Ensure the last parameter is a different location than the source directory so that you do not overwrite the source files.

The cfcompile utility may not correctly process application pathnames with spaces. For this step to succeed, you may have to rename your application path without spaces.

Building the compiled ColdFusion application into a WAR file ensures that Veracode has the proper context for analyzing your application. To build a WAR file for deployment on an application server:

  1. Sign in to ColdFusion Administrator.

  2. Choose Packaging and Deployment > J2EE Archives.

  3. Add a new archive of type WAR. The application directory is the location of the compiled application, for example: c:\\mycfappbin.

  4. Place the finished WAR archive in the distribution directory.

  5. Add any related data sources.

  6. Clear the Include CFML Source checkbox.

  7. Clear the Include CF Administratorcheckbox.

  8. Clear the Disable Debugging checkbox.

  9. Submit and wait for the WAR packaging to complete.

    The resulting WAR file might be large, at least 100 MB.

  10. Upload the resulting WAR file to Veracode.