A little bit ago, I added VarScoper to my ANT build script. That was something I had wanted to do for a long time, and it was silly easy. I also wanted to add QueryParam Scanner, but it was a bit trickier. Today I spent some time with it and whipped a pretty decent solution, if I do say so myself. I dropped the application into the root of a ColdFusion instance. Then I interacted with it with my browser and watched which parameters are posted when the scan request is made. I gathered up all the options and made an ANT build script that posts to the QueryParam Scanner application, and parsed the XML for the result.
I took my working script and removed everything but the stuff for QueryParam Scanner: qpscanner-build.xml.txt. At the top of the file are configuration options. At the bottom is a sample ANT task that does the work. I added an option for whether the build should report a failure if any alerts are returned. Simple, right?
I should mention that this build requires the ant-contrib library for the post task. Other than that, it's stock ANT from Apache. Also, the author of QueryParam Scanner, Peter Boughton, has the source in a Git repository on Github.
Posted 6/19/11 @ 5:51 PM by Joseph Lamoree