Fixinator Version 6 Released

I’m extremely pleased to announce the release of Fixinator version 6.0.0!

Last year in 2024, there were 7 releases to the Fixinator scanning engine. Version 6.0.0 marks the second release of 2025 already! Thanks to the many customers of Fixinator over the past few years it continues to improve at a rapid pace.

Without further ado, here’s what’s new in Fixinator 6…

ColdFusion 2025 Compatibility Scanning

Back in October of 2024, I added support for compatibility scanning in Fixinator. It currently supports scanning for both ColdFusion and Lucee compatibility issues in your code.

Lots of work went into the ColdFusion compatibility scanner in Fixinator version 6 in order to detect the newly deprecated or removed features of ColdFusion 2025. Here’s a short list of some of the compatibility issues that Fixinator can now detect:

• Removal of parameterExists
• Removal of htmlEditFormat
• Legacy Script components (such as query(), http(), etc)
• Axis 1 Usage
• Removal of the statustext attribute in cfheader
• Removal of support for templates encoded with cfencode
• Removal of CFMX_COMPAT algorithms
• Removal of COM object support
• Removal of several old UI tags
• Removal of certain attributes or attribute values

You can run a ColdFusion 2025 compatibility scan in Fixinator like this:

fixinator path=c:\code goals=compatibility engines=adobe@2025

Here's an example result:

Besides detecting over two dozen different ColdFusion 2025 compatibility issues in Fixinator 6, there are some other nice features as well.

Updated Reporting

Some cleanup to the HTML and PDF reports were made. It now includes the scanned path in the report. PDF and HTML reports are now sorted by severity by default - showing you the highest severity items first.

This change is inline with how I approach mitigating security issues in an application. I prefer to resolve issues that are most critical first, then work down to resolve the less critical issues.

Known JavaScript Vulnerability Reporting Improved

In previous versions of Fixinator if a JavaScript file had multiple known vulnerabilities, each vulnerability was listed as a different finding. In version 6, the known vulnerabilities for a single JavaScript file are merged into one finding. The severity of the merged finding will be the highest of all found within the file.

This means if you had an old vulnerable version of jQuery it might have previously resulted in 4 or 5 issues, but now it will only show up as one issue. This should make your overall report cleaner, and easier to review and most importantly resolve!

Enterprise Version Enhancements

Fixinator version 6 makes it WAY easier to use the enterprise version. You can now run entirely within the commandbox environment, there is no need to setup your own Fixinator Scanning Server API endpoint.

With version 6, you can simply run:

box install c:\fixinator\fixinator-enterprise-6.0.0.zip

And the Fixinator client will invoke Fixinator directly. This should make Fixinator way easier to use for our many many enterprise clients!

Enterprise Performance

The enhancements to the enterprise version of Fixinator allow it to run about 20% faster vs a local api server endpoint.

When comparing an enterprise local scan vs the cloud scan api, it runs about 5 times faster.

Security Scanning Improvements

Several minor improvements were made to the code security scanning features in Fixinator version 6 as well. The goal of Fixinator remains to be the best ColdFusion source code security scanner available.

How to get it

If you are not yet a Fixinator customer, you can get a trial version here.

Existing customers can run the following to update your client to the latest version by running this, and then restarting commandbox:

box install fixinator

If you are using CI to scan your code you might already be doing the above in your pipeline script, so you probably don't need to do anything to start using the latest version.

If you are an enterprise customer you can login to your account to download the latest Fixinator Enterprise scanning engine.