Developer’s Artifacts typically involved in COBOL programming are COBOL sources, COPYBOOKS, DCLGEN, MAP and JCL. Security Reviewer analyzes the source code of a group of programs selected by the user.
Normally you should download your source code yourself and analyse it manually. Security Reviewer will help you on automating it. Security Reviewer ALM can download your source code from DEV, QA/Stage or PROD Environments at the push of a button, through integration with Broadcom CA-AllFusion Endevor CM (Mainframe) and AllFusion Harvest SCM (UNIX, Linux or Windows)
It also integrates with GIT, SVN, Microsoft TFS, IBM Rational Team Concert, Micro Focus PVCS and CVS (UNIX, Linux or Windows). It provides:
REST API: Simple but powerful REST APIs are available for uploading to a server, scanning and retrieving the analysis’ results. REST Server can be installed at your premises or located in a Cloud ecosystem. This is useful for DevOps integration.
.NET Core Command Line: It provides a multi-platform (Windows, Linux) simple-syntax command line for being launched or scheduled in your AllFusion Harvest Workbench or into your preferred IDE, as an external command. That can be useful for integrating Security Reviewer’s Static Analysis in your Development Life Cycle.
Security Reviewer supports most of COBOL Language platforms:
It support all modern COBOL Versions:
IBM z/OS Enterprise COBOL
IBM IL COBOL (iSeries)
Visual COBOL (Micro Focus)
NetCOBOL (Fujitsu/GTSoftware)
GnuCOBOL (formerly openCOBOL)
MCP (Unisys)
Teradata IMS (COBOL)
COBOL-IT
RainCode COBOL
Elastic COBOLVeryant isCOBOL Evolve
It also supports Legacy Versions, like:
AcuCOBOL-GT
VS-COBOL-II
Oracle*Pro COBOL
RM-COBOL
Hitachi COBOL
CA-REALIA COBOL
For each COBOL Platform, different rules will be applied. You can choose:
Statement Length: 88, 132 or free format
Consider the Working Storage as Untrusted
Allow/Disallow CICS System Programming
COPYBOOKS folder
Different SQL Dialects are supported:
Rules for each SQL Dialect will be applied differently.
Further, suppose you have a Java Front End and a COBOL Back End. Security Reviewer can analyse the whole source code, applying different rules for each programming language, and giving a single Result and Report.
Security vulnerabilities, Dead Code, Best Practices, Insufficient Control Flow Management, Possible Bugs and Resilience will be detected performing a Static Application Security Test (SAST).
Our Static Analysis can handle very large COBOL Programs. Until now the largest program we analyzed was 193 MLOC in a single file. Example of vulnerabilities categories that can be detected:
Access Control Database, Access Control DLI, Access Control MQSeries
Improper use of pointers
Deprecated, Unsupported or Obsolete Functions
Avoid dumping system information, Avoid debug statements, Log forging, DLI Log Forging
Code Injection, Command Injection, Queue Resource Injection
Cross-Site Scripting
Avoid non-portable statements
Avoid runtime subroutine calls, Call Settings Manipulation, Dynamic Code, Native Code/Library
Improper use of RANDOM
Poor error handling regarding: Ignored error condition, Multiple HANDLE ABEND, RESP, NOHANDLE
Unsafe FILE STATUS
Data truncation in MOVE
SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)
Unsupported DBMS
EXEC CICS WEB Abuse
Header, Session or Cookies manipulation, HTTP Response Splitting/Tampering, URL Redirect,
File Upload, File Download, etc.)
Information Leakage
Privacy Violation
Password management/hardened credentials mistakes
Authentication mistakes
Code Injection, Command Injection, Resource Injection, XML Injection, File Injection
File Path manipulation
Invalid Process Control, Invalid Systems Calls, Dangerous COBOL/System commands
Unsecure Communications (missed SSL, Outgoing FTP, etc.)
Misconfigurations
Insecure Cryptography
Poor Input Validation
Integer Overflow
Unused Parameter, Unused Label, Unused PERFORM, Unused data structures
Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.
Our reporting system provides a bunch of options:
You can:
Preview reports
Generate reports in different formats (PDF, Word, Excel, HTML, CSV, JSON)
Generate separate reports for each Component
Include False Positives and Excluded File list in the report
Configure the ISO 9001 Cover page
Include PCI-DSS 3.2.1 issues
Sort vulnerabilities per Severity, CVSS, OWASP, CWE
In case you won’t include source code snippets in the report, you have ‘Binary Only’ option
Choose which Severity Level issues will be reported
Choose between Summary, Details or Developer reports for Security, Dead Code-Best Practices, Quality and SQALE
SQALE Reports can include Security, Dead Code, Best-Practices, Quality and Resilience and are provided in English, Spanish, Russian and Italian. A Translation Kit is provided.
Security Reviewer provides a Quality feature, able to calculate COBOL Software Quality Metrics, and focused to manage COBOL Programs on a Quality point-of-view as well as some significant Performance issue. COBOL metrics are automatically calculated, such as: LOC, SLOC, Cyclomatic Complexity, Essential Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality, etc.
First Quality view shows most used Metrics, with out-of-range values:
