COBOL-JCL

Owned by Marco Security
Last updated: Jan 11, 2024
5 min read

Developer’s Artifacts typically involved in COBOL programming are COBOL sources, CopyBooks, DDL, DML, DCLGEN, Screen MAPs and JCL.  Security Reviewer analyzes them all. IMS, DL/I and several DBs are also supported.

AllFusion Endevor Integration

Normally you should download your source code yourself and analyse it manually. Security Reviewer will help you on automating it. Security Reviewer ALM can download your source code from DEV, QA/Stage or PROD Environments at the push of a button, through integration with Broadcom CA-AllFusion Endevor® CM (Mainframe) and AllFusion Harvest® SCM (Windows, Linux)

It also integrates with GIT, SVN, Microsoft TFS, IBM Rational Team Concert, Micro Focus PVCS and CVS (Windows, Linux). It provides a .NET Core Command Line: a multi-platform (Windows, Linux) simple-syntax command line for being launched or scheduled in your AllFusion Harvest Workbench or into your preferred IDE, as an external command. That can be useful for integrating Security Reviewer’s Static Analysis in your Development Life Cycle.

COBOL Options

For each COBOL Platform, different rules will be applied. You can choose:

  • Target COBOL Version

  • Statement Length: 88, 132 or free format

  • Consider the Working Storage as Untrusted

  • Allow/Disallow CICS System Programming

  • COPYBOOKS folder location

Security Reviewer supports most of COBOL Language platforms:

COBOL DIalects

It support all modern COBOL Versions:

  • IBM z/OS Enterprise COBOL (6.4, 6.3, 6.2, 6.1, 5.2, 5.1, 4.2, <=4.1 compilers)

  • IBM IL COBOL (iSeries)

  • Visual COBOL (Micro Focus)

  • NetCOBOL (Fujitsu/GTSoftware)

  • GnuCOBOL (formerly openCOBOL)

  • MCP (Unisys)

  • Teradata IMS (COBOL)

  • COBOL-IT

  • RainCode COBOL

  • Elastic COBOLVeryant isCOBOL Evolve

It also supports Legacy Versions, like:

  • AcuCOBOL-GT

  • VS-COBOL-II

  • Oracle*Pro COBOL

  • RM-COBOL

  • Hitachi COBOL

  • CA-REALIA COBOL

SQL Dialects

Different SQL Dialects are supported for COBOL:

IBM Netezza and DL/I are recognized automatically. Rules for each SQL Dialect will be applied differently.

Further, suppose you have a Java or C# Front End and a COBOL Back End. Security Reviewer can analyse the whole source code simultaneusly, applying different rules for each programming language, and giving a single Result and Report.

Static Analysis

Security vulnerabilities, Dead Code, Best Practices, Insufficient Control Flow Management, Possible Bugs and Resilience will be detected performing a Static Application Security Test (SAST).

Our Static Analysis can handle very large COBOL Programs. Until now the largest program we analyzed was 193 MLOC in a single file.

COBOL

Example of vulnerabilities categories that can be detected for COBOL:

  •       Access Control Database, Access Control DLI, Access Control MQSeries

  •       Improper use of pointers

  •       Deprecated, Unsupported or Obsolete Functions

  •       Avoid dumping system information, Avoid debug statements, Log forging, DLI Log Forging

  •       Code Injection, Command Injection, Queue Resource Injection

  •       Cross-Site Scripting, UTF-7 Cross-Site Scripting, Stored Cross Site Scripting

Security Decisions Via Untrusted Inputs

  •       Avoid non-portable statements

  •       Avoid runtime subroutine calls, Call Settings Manipulation, Dynamic Code, Native Code/Library

  •       Improper use of RANDOM

  •       Poor error handling regarding: Ignored error condition, Multiple HANDLE ABEND, RESP, NOHANDLE

  • Unsafe FILE STATUS

  •       Data truncation in MOVE

  •       SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)

  •       Unsupported DBMS

  •       EXEC CICS WEB Abuse

    Header, Session or Cookies manipulation, HTTP Response Splitting/Tampering, URL Redirect,

File Upload, File Download, Server-Side Request Forgery, etc.)

  •       Information Leakage, Log Forging

  •       Privacy Violation

  •       Password management/hardened credentials mistakes

  •       Authentication mistakes

  •       Code Injection, Command Injection, Resource Injection, XML Injection, File Injection

  •       File Path manipulation

  •       Invalid Process Control, Invalid Systems Calls, Dangerous COBOL/System commands

  •       Unsecure Communications (missed SSL, Outgoing FTP, etc.)

  • Crypto-related vulnerabilities

  • CICS System Programming issues

  • XML parsing issues

  •       Misconfigurations

  •       Insecure Cryptography

  •       Poor Input Validation

  •       Integer Overflow

  •       Unused Parameter, Unused Label, Unused PERFORM, Unused data structures

JCL

Example of vulnerabilities categories that can be detected for JCL:

  • Hardcoded Password (JCL)

  • Avoid Changing Password in a JOB (JCL)

  • Avoid assembler statements (JCL)

  • Avoid shell statements (JCL)

  • Avoid in-stream REXX statements (JCL)

  • Hardcoded JAVA key (JCL)

  • Absolute PATH in DD statement (JCL)

  • Hardcoded REXX key (JCL)

  • Avoid CEDA system commands (JCL)

  • Avoid CECI system commands (JCL)

  • Avoid CEMT system commands (JCL)

  • Avoid RACF activation (JCL)

  • Avoid access CICS TCPIP service (JCL)

  • Avoid mounting a filesystem (JCL)

  • Avoid REXX system commands (JCL)

  • Avoid EXEC of inline shell statements (JCL)

  • Avoid starting TomCat inside a task (JCL)

  • SQL-related issues

  • Avoid multiple JOB, JOBLIB, JCLLIB statements (JCL)

  • Empty conditional statement (JCL)

  • Incorrect JOB, EXEC, DDName name (JCL)

  • Obsolete DD keyword (JCL)

  • Obsolete OUTPUT DD LIKE statement (JCL)

  • PROCLIB not valid in JOB card (JCL)

  • Parameter not valid in JOB card (JCL)

  • Incorrect JOB accounting information (JCL)

  • Incorrect JOB CLASS, MSGCLASS, MSGLEVEL, PRIORITY (JCL)

  • Obsolete CARDS, CCSID parameter (JCL)

  • Avoid using &SYSUID (JCL)

  • Too much instream PROC in a JOB (JCL)

  • Obsolete DCB keyword (JCL)

  • Obsolete ROLL statement (JCL)

  • Unsupported statement (JCL)

Security

Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.

Dead code - Best Practices and Possible Bugs

The same you can do for Dead Code, Best Practices, and Resilience.

Reports

Our reporting system provides a bunch of options:

 

You can:

  • Preview reports

  • Generate reports in different formats (PDF, Word, Excel, HTML, CSV, JSON)

  • Generate separate reports for each Component

  • Include False Positives and Excluded File list in the report

  • Configure the ISO 9001 Cover page

  • Include PCI-DSS 4.0 or 3.2.1 issues

  • Sort vulnerabilities per Severity, CVSS, OWASP, CWE

  • In case you won’t include source code snippets in the report, you have ‘Binary Only’ option

  • Choose which Severity Level issues will be reported

  • Choose between Summary, Details or Developer reports for Security, Dead Code-Best Practices, Quality and SQALE

  • SQALE Reports can include Security, Dead Code, Best-Practices, Quality and Resilience and are provided in English, Spanish, Russian and Italian. A Translation Kit is provided.

Quality                                                                 

Security Reviewer provides a Quality feature, 100% compatible with McCabe IQ®, able to calculate COBOL Software Quality Metrics, and focused to manage COBOL Programs on a Quality point-of-view as well as some significant Performance issue. COBOL metrics are automatically calculated, such as: LOC, SLOC, Cyclomatic Complexity, Essential Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality, etc.

Out-of-Range Metrics

First Quality view shows most used Metrics, with out-of-range values:

McCabe Metrics

Halstead Metrics

 

COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.