Packaging Instructions for COBOL

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Required Files

The Veracode Platform requires all COBOL source code files to be UTF-8 encoded text files, with the extension COB or CBL for COBOL source code, and CPY for copy tables. EBCDIC encoding is not supported.

Copybooks are not required for the scan, but if available, they provide increased coverage and accuracy of the scan. You must extract each program into its own source file. The Veracode Platform ignores source files with unsupported extensions or text files without extensions.

Supported COBOL Versions

Language Dialects Supported Versions Notes
COBOL Enterprise COBOL for z/OS 3.1–6.2 CICS, DB2, and IMS DL/I embedded code inserted via EXEC statements are supported.
MicroFocus COBOL (Net Express) 5.0  
AcuCOBOL-GT 10.1  
HP COBOL Tandem for TNS / TNS/R    
COBOL for OS/390    
COBOL for OS/370    
COBOL for MVS    

Code Extraction and Preparation

Many COBOL mainframe systems store their source code in a database or in libraries. To analyze this source code with Veracode, you must first extract the COBOL source code from the database into plain source files that Veracode can scan. These files must be discrete source files, instead of partitioned data sets or other proprietary extraction format.

The system management team with the necessary system administration privileges normally extracts the code from the host system. The extraction process follows the same process during data and system migration and for analysis in source code management systems such as Serena Changeman ZMF.

In the case of IBM iSeries, the code is organized into libraries (similar to directories) and source physical files with multiple members containing the source code items. The extraction script typically uses system commands to extract code from libraries to system files that you can then transfer to an external system for upload to Veracode. Due to the mainframe security restrictions and implementation differences between different systems, Veracode recommends contacting your IT system management team to discuss the extraction process and scanning of COBOL programs.

You must compress all COBOL source files of the same application in a supported archive file format such as ZIP. When you upload COBOL source files to an application profile on the Veracode Platform, the Veracode Platform automatically recognizes these source files and correctly routes them for scanning.