How to scan COBOL code
Question
How do I scan COBOL code using Fortify?
Answer
COBOL is scanned with Fortify using a process similar to other languages, so other technical notes provided on this site will provide additional support for scans.
Note: The information provided here is specific to the new (Fortify v20.2.0) COBOL translation engine. A legacy translation engine is also available. Please see the Fortify documentation for details about the legacy translation engine.
The following prerequisites must be met to scan COBOL code in Fortify:
- Fortify COBOL scanning is only supported on Windows platforms
- Copy the following to the machine where the scan will be performed:
- COBOL source code files - recommended to copy to a directory such as “source”
- COBOL copybook files - must be a separate directory than the source code, e.g., “copybooks”
- This must include SQL INCLUDE files
- Copybook files must use the .cpy or .CPY extension
By default, Fortify scans files with a .cbl extension as COBOL. However, files without extensions and files with other extensions may also be scanned:
- If the COBOL files do not have an extension, use the “-noextension-type COBOL” command-line option
- If the COBOL files use an extension other than .cbl, use the “-Dcom.fortify.sca.fileextensions.
= COBOL" command-line option
COBOL is scanned on the command-line. Fortify scans are divided into three phases: clean phase, translation phase, and scan phase. Only the translation phase may need special arguments for COBOL.
Assuming the source code is located in the “source” directory and the copybook files are in the “copybooks” directory and the source code files do not use an extension, the following example commands may be used:
# Clean phase:
sourceanalyzer -b cobol-scan -clean
# Translation phase:
sourceanalyzer -b cobol-scan -noextension-type COBOL -copydirs .\copybooks .\source\*.*
# Scan phase
sourceanalyzer -b cobol-scan -scan -f cobol-scan.fpr
The results of the scan will be placed in the cobol-scan.fpr file
References
Fortify documentation, SCA Users Guide, Chapter 14
Technical Notes (Fortify Usage)
Technical Notes (Fortify Errors)
Technical Notes (Scan Issues)