Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

COBOL static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your COBOL code

Tags

Inserts should include values for non-null columns
Bug
Numbers should only be moved to variables large enough to hold them without truncation
Bug
"DELETE" and "UPDATE" statements should contain "WHERE" clauses
Bug
Data items should be initialized with data of the correct type
Bug
SQL statements should not contain dynamic clauses
Security Hotspot
Section names should be unique within a program
Code Smell
DDL statements should not be used
Code Smell
When calling a subprogram, the data item containing the name of the subprogram to be called should not be programmatically updated
Vulnerability
"INSERT" statements should not set the values of identity columns
Bug
SQL "UPDATE" statements should not change primary key values
Bug
Alphanumeric values should not be moved to numeric fields
Bug
The second procedure of a "PERFORM THRU" statement should be defined after the first procedure
Bug
"PERFORM" calls should not be recursive
Code Smell
"COPY SUPPRESS" should not be used
Code Smell
"LIKE" clauses should not be used without wildcards
Code Smell
Open files should be closed explicitly
Code Smell
Copybooks should not contain keywords relating to the nature or structure of a program
Code Smell
Data used in a "LINKAGE" should be defined in a COPYBOOK
Code Smell
"EVALUATE" structures should end with "WHEN OTHERS" clauses
Code Smell
Cyclomatic Complexity of sections should not be too high
Code Smell
Cyclomatic Complexity of paragraphs should not be too high
Code Smell
Cursors should not be opened inside loops
Code Smell
Cursors should not be declared inside loops
Code Smell
Cursors should not be closed inside loops
Code Smell
String literals should not be duplicated
Code Smell
Copybooks should be used to share data structures, not procedural logic
Code Smell
Queries that use "FETCH FIRST" should have an "ORDER BY"
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Strings should only be moved to variables large enough to hold them without truncation
Bug
"WHERE" clause conditions should not be contradictory
Bug
Selects should include null indicators for nullable columns
Bug
Fetches should not select more columns than their cursors
Bug
Conditionally executed code should be reachable
Bug
"NULL" should not be compared directly
Bug
Conditions in related "IF/ELSE IF" statements and "WHEN" clauses in "EVALUATE" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Paragraphs should not be redefined
Bug
Variables should not be self-assigned
Bug
"EXIT PROGRAM" should be the last statement of a sequence
Bug
"STOP RUN" or "GOBACK" should be the last statement of a sequence
Bug
Having SQL "SELECT" statements without "WHERE" conditions is security-sensitive
Security Hotspot
"OCCURS DEPENDING ON" should be used with a minimum value
Code Smell
Unused condition names should be removed
Code Smell
"BINARY" variables should be used to declare variable-length table sizes
Code Smell
Binary variables should be used for table subscript access
Code Smell
Conditional variables should not be compared with literals
Code Smell
Variables of different numeric formats should not be compared
Code Smell
Conditions should not use too many distinct data items
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
SQL "LIKE" clauses should not start with wildcard characters
Code Smell
Column names should be used in a SQL "ORDER BY" clause
Code Smell
SQL statements should not join too many tables
Code Smell
Declared files should be used
Code Smell
"SORT" should not be used
Code Smell
"MERGE" should not be used
Code Smell
Columns to be read with a "SELECT" statement should be clearly defined
Code Smell
Ending words should be aligned with what they close
Code Smell
"PERFORM" calls should not be nested too deeply
Code Smell
Sections should be documented
Code Smell
Sections should not be empty
Code Smell
Nested SQL "SELECT" statements should not be used
Code Smell
Sections of code should not be commented out
Code Smell
SQL EXISTS subqueries should not be used
Code Smell
Track uses of "FIXME" tags
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Collapsible "IF" statements should be merged
Code Smell
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Unused "TABLE" declarations should be removed
Code Smell
Binary search should be used for large tables
Code Smell
Arithmetic expressions and scalar functions should not be used in "WHERE" conditions
Code Smell
"OCCURS 1" should not be used on data items
Code Smell
Program names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
File data items should not exceed 63,488 characters
Bug
"UPDATE" and "DELETE" statements should not impact multiple rows
Code Smell
"ALTER" should not be used
Code Smell
"LOCK TABLE" should not be used
Code Smell
Track lack of copyright and license headers
Code Smell
"ACCEPT" should not be used
Vulnerability
Paragraphs used by a "PERFORM" statement should not contain "GO TO"
Bug
"PROGRAM-ID"s should match their file names
Bug
Data value clauses should not be used in linkage sections
Bug
"GOBACK" should be used instead of "STOP RUN"
Bug
"GO TO DEPENDING ON" should not be used
Code Smell
"0 RECORDS" should be specified for "BLOCK CONTAINS"
Code Smell
"INSERT" statements should explicitly list the columns to be set
Code Smell
"PERFORM ... THRU ..." should not be used
Code Smell
Either "RESP" or "NOHANDLE" should be used with CICS commands
Code Smell
The return codes of CICS commands with "RESP" or "NOHANDLE" conditions should be tested
Code Smell
"COMMAREA" length should be specified in "CICS Link" and "CICS Xctl" commands
Code Smell
"EVALUATE ... WHEN" statements should not contain conditional logic
Code Smell
"FILE STATUS" should be checked after IO operations when it is available
Code Smell
"SECTION" should not be used in a "PROCEDURE DIVISION"
Code Smell
"REDEFINES" should not be used
Code Smell
The number of "PERFORM" statements in a procedure, section, or paragraph should be limited
Code Smell
Control flow statements should not be nested too deeply
Code Smell
"GO TO" should not be used
Code Smell
The cyclomatic complexity of a program should not be too high
Code Smell
"ORDER BY" should be specified for cursors
Bug
"GO TO" statements should not transfer control outside their modules
Bug
Limited dependence should be placed on operator precedence
Code Smell
"OCCURS DEPENDING ON" should not be used
Code Smell
SQL statements should not use "CAST(... AS CHAR/VARCHAR)"
Code Smell
Condition names should be named for their conditional variables
Code Smell
Math should only be performed on computational variables
Code Smell
"CALL" programs should be specified dynamically
Code Smell
"SELECT" statements should not lead to full table scans
Code Smell
Track parsing failures
Code Smell
Files should not contain too many sections
Code Smell
SQL "OR" clauses testing equality on the same identifier should be replaced by an "IN" clause
Code Smell
A SQL "BETWEEN" clause should be used instead of "X>=Y AND X<=Z"
Code Smell
"FOR READ ONLY" or "FOR UPDATE" should be specified for DB2 cursors
Code Smell
"READ" statements should have an "AT END" or an "INVALID KEY" clause if "FILE-STATUS" is not defined
Code Smell
The number of subprograms called in a program should be limited
Code Smell
Files should not contain too many paragraphs
Code Smell
The number of COPY directives in a program should be limited
Code Smell
Packed numeric fields should be defined with odd length
Code Smell
The last paragraph of a "PERFORM THRU" should only contain an "EXIT" statement
Code Smell
Paragraphs should follow a naming convention
Code Smell
Procedures used in "PERFORM ... THRU ..." should share a naming convention
Code Smell
Paragraphs should be documented
Code Smell
New types should be defined in copybooks
Code Smell
"WHERE" clauses should not contain too many lines of code
Code Smell
"UNION" should not be used in "SELECT" statements
Code Smell
"PERFORM SECTION" should not be used
Code Smell
"PERFORM PARAGRAPH" should not be used
Code Smell
Paragraphs should not be used
Code Smell
"OPEN" should not be used inside a loop
Code Smell
"NEXT SENTENCE" should not be used
Code Smell
"GROUP BY" should not be used in SQL "SELECT" statements
Code Smell
"EXAMINE" should not be used
Code Smell
"DISTINCT" should not be used in SQL "SELECT" statements
Code Smell
The "COMPUTATIONAL" data value clause should not be used
Code Smell
Track uses of SQL
Code Smell
The OS/VS "TRANSFORM" statement should not be used
Code Smell
The OS/VS "ON" statement should not be used
Code Smell
Programs should not have too many lines of code
Code Smell
The "LIKE" operator should be used very carefully in SQL "WHERE" condition
Code Smell
Sections and paragraphs should not perform more than one SQL operation
Code Smell
Unused sections should be removed
Code Smell
Sections should not have too many lines of code
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Unused paragraphs should be removed
Code Smell
Unused data item blocks should be removed
Code Smell
Paragraphs should not have too many lines of code
Code Smell
Paragraphs should not be empty
Code Smell
Modules should not have too many lines of code
Code Smell
Closable statements with nested statements should be closed
Code Smell
Track comments matching a regular expression
Code Smell
Statements should be on separate lines
Code Smell
Magic numbers should not be used
Code Smell
"WITH DEBUGGING MODE" should not be used
Vulnerability
"DISPLAY" should not be used
Vulnerability
Explicitly opened cursors should be closed
Bug
"CORRESPONDING" should not be used in "ADD", "SUBTRACT", and "MOVE" statements
Bug
"SQLCODE" or "SQLSTATE" should be tested after each SQL statement
Code Smell
Default column values should not be set explicitly in inserts
Code Smell
Fetches should use all of the columns selected in their cursors
Code Smell
Programs should begin with titles
Code Smell
SQL "UPDATE" statements should not impact columns included in partitioning indexes
Code Smell
Obsolete keywords should not be used
Code Smell
Level 77 should not be used
Code Smell
SQL "WHERE" clauses should use ANSI standard operators
Code Smell
SQL tables should be joined with the "JOIN" keyword
Code Smell
Data items should never be accessed using more than one "OF" clause
Code Smell
Data item declarations should be aligned
Code Smell
"TO" keywords should be aligned in a sequence of "MOVE" statements
Code Smell
Logical files should follow a naming convention
Code Smell
First level data items should follow a naming convention
Code Smell
File-Codes should comply with a naming convention
Code Smell
File names should comply with a naming convention
Code Smell
"INITIALIZE" should not be used
Code Smell
Disallowed characters should not be used in identifiers
Code Smell
Sections should end with an empty paragraph
Code Smell
The OS/VS "NOTE" statement should not be used
Code Smell
"OS/VS EXHIBIT" should not be used
Code Smell
Paragraphs and statements should be indented consistently
Code Smell
"CURSORs" should not be declared inside procedure divisions
Code Smell
Tabulation characters should not be used
Code Smell
Track uses of forbidden statements
Code Smell
Track uses of disallowed modules
Code Smell

Delivering code in production with debug features activated is security-sensitive

Security Hotspot

MinorSonarSource default severity
click to learn more

cwe
error-handling
debug
user-experience
owasp

Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:

CVE-2018-1999007
CVE-2015-5306
CVE-2013-2006

Debug statements (ones with 'D' or 'd' in the indicator area) should not be executed in production, but the WITH DEBUGGING MODE clause activates all debug lines, which could expose sensitive information to attackers.

Ask Yourself Whether

the code or configuration enabling the application debug features is deployed on production servers or distributed to end users.
the application runs by default with debug features activated.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Do not enable debug features on production servers or applications distributed to end users.

Sensitive Code Example

SOURCE-COMPUTER. IBM-370 WITH DEBUGGING MODE.

Compliant Solution

SOURCE-COMPUTER. IBM-370.

See

OWASP Top 10 2021 Category A5 - Security Misconfiguration
OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
MITRE, CWE-489 - Active Debug Code
MITRE, CWE-215 - Information Exposure Through Debug Information

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Enterprise
Edition

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted