COBOL packaging
Your COBOL applications must meet specific requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
Automated packaging
Auto-packaging automates the packaging process for COBOL projects.
Required files
Veracode requires that you encode all COBOL source code files as UTF-8 text files, with the extension COB, CBL, COBOL, or PCO. Copybooks must have the CPY extension. Veracode does not support EBCDIC encoding.
Veracode recommends that you submit your COBOL source files as separate files in a single archive. Do not concatenate multiple source files into a single file before archiving. Veracode does not support uploading individual COBOL files outside of an archive.
Veracode does not require you to provide copybooks for scans. If available, copybooks provide increased scan coverage and accuracy. You must extract each program into its source file. Veracode ignores source files with unsupported extensions or text files without extensions.
Code extraction and preparation
Many COBOL mainframe systems store their source code in a database or libraries. To analyze this source code with Veracode, you must first extract the COBOL source code from the database into plain source files that Veracode can scan. These files must be discrete source files, instead of partitioned data sets or other proprietary extraction formats.
The system management team with the necessary system administration privileges normally extracts the code from the host system. The extraction process follows the same process during data and system migration and for analysis in source code management systems, such as Serena Changeman ZMF.
In the case of IBM iSeries, the code is organized into libraries, similar to directories, and source physical files. Multiple members contain the source code items. The extraction script typically uses system commands to extract code from libraries to system files that you can then transfer to an external system for upload to Veracode. Due to the mainframe security restrictions and implementation differences between different systems, Veracode recommends contacting your system management team to discuss the extraction process and scanning of COBOL programs.
How Veracode prepares for scanning
Veracode prepares your submission for scanning by parsing the COBOL source. There are many dialects and several formats of COBOL source. In most cases, Veracode can automatically handle these variations. In some cases, it may be necessary to specify options to the COBOL parser in order to obtain the best parse results. You can specify options in a file called veracode.json
packaged at the root of the submitted archive.
The veracode.json
file is formatted as a list of options contained within []. Each option in the list, contained within , consists of two keywords with values. The keyword value pairs are formatted as a string, followed by a colon, followed by a value. The first keyword value pair is the option and its default value. The second keyword value pair is the keyword description
and a brief description of the option and its default value.
Example veracode.json
file:
[
{ "auto-detect-format" : true,
"description" : "true: automatically determine the format. false: use the value of the format option."},
{ "auto-detect-use-first-format" : true,
"description" : "true: Only analyze the first file to determine the format for all. false: analyze each file for its format."},
{ "charset" : "UTF-8",
"description" : "The character set to be used when reading the source."},
{ "cobol-extensions" :
["cbl", "cob", "cobol", "pco"],
"description" : "A list of file extensions to be used in detecting COBOL source files. Each extension must be one of cbl, cob, cobol or pco."},
{ "copybook-extensions" :
["cpy"],
"description" : "A list of file extensions to be used in detecting copybook files. Each extension must be one of cbl, cob, cobol, pco or cpy."},
{ "cobol-source-format" : "FIXED",
"description" : "The format of the COBOL source code. Either FIXED, TANDEM, or VARIABLE. Ignored if autoDetectFormat is true."},
{ "tab-expansion" : 8,
"description" : "How many spaces to expand tabs. Tabs do not work well with FIXED format and data in the comment area. If expansion goes past column 72, expansion is retried with one fewer spaces."}
]
The COBOL parser handles copybooks by including them into the source with the corresponding COPY statement. Therefore, Veracode supports syntax split between the source and the copybook if and only if the required copybook is included.
Veracode evaluates a wide range of COBOL implementations and proprietary extensions. If your COBOL applications use object-oriented COBOL or other features outside standard COBOL specifications, contact your Veracode account manager to schedule a comprehensive assessment.
Supported COBOL standards
- COBOL-74
- COBOL-85
- COBOL-2002
Supported COBOL dialects
- AcuCOBOL-GT
- COBOL/400
- COBOL for MVS
- COBOL for OS/370
- COBOL for OS/390
- Enterprise COBOL for z/OS
- HP COBOL Tandem
- IBM ILE COBOL
- MicroFocus COBOL
- OS/VS COBOL
- SCOBOL
- Stratus VOS COBOL
- VS COBOL II