Scanning COBOL projects

Fortify ScanCentral SAST clients can package COBOL projects for remote translation and scan. For detailed information about the requirements and options available for COBOL analysis, see the OpenText™ Static Application Security Testing User Guide.

You must have a sensor with the Windows operating system. Fortify ScanCentral SAST automatically assigns COBOL scans to a Windows sensor. If no Windows sensor is available, then the scan job is created but cannot be started.

Make sure the copybook files are in a separate directory from the COBOL source code files. OpenText recommends that you place your COBOL source code files in a directory called sources and your copybook files in a directory called copybooks. Create these directories at the same level.

To analyze a COBOL project on Linux and to use Legacy COBOL translation, you must perform a local OpenText SAST translation:

scancentral -sscurl <ssc_url> -ssctoken <token> start -b <build_id>

The following example command submits a scan request for a COBOL project where the copybooks files are in the local copybooks directory:

scancentral -sscurl <ssc_url> -ssctoken <token> start -targs "-copydirs copybooks -dialect COBOL390"

The following example command submits a scan request for a COBOL project that contains source code files with a non-standard file extension mfcbl:

scancentral -sscurl <ssc_url> -ssctoken <token> start -targs "-copydirs MyCopydir1;MyCopydir2 -Dcom.fortify.sca.fileextensions.mfcbl=COBOL"

The following example command submits a scan request for a COBOL project that contains source code files without file extensions:

scancentral -sscurl <ssc_url> -ssctoken <token> start -targs "-copydirs MyCopyDir -noextension-type COBOL"