Packaging Instructions for COBOL

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Required Files

The Veracode Platform requires all COBOL source code files to be UTF-8 encoded text files, with the extension .cob, or .cbl for COBOL source code and .cpy for copy tables. EBCDIC encoding is not supported.

Copybooks are not required for the scan, but if available, they provide increased coverage and accuracy of the scan. You must extract each program into its own source file. The Veracode Platform ignores source files with unsupported extensions or text files without extensions.

Supported COBOL Versions

Language Dialects Supported Versions Compatibility Support Notes
COBOL Enterprise COBOL for z/OS 4.2-6.2 3.1-4.1 CICS, DB2, and IMS DL/I embedded code inserted via EXEC statements are supported.
IBM ILE COBOL 7.0  
MicroFocus COBOL (Net Express) 5.0    
AcuCOBOL-GT 10.1    
COBOL-85      
SCOBOL      
COBOL-2002      
HP COBOL Tandem for TNS / TNS/R      
COBOL/400      
COBOL for OS/390      
COBOL for OS/370      
COBOL for MVS      
OS/VS COBOL      
VS COBOL II      

Code Extraction and Preparation

Many COBOL mainframe systems store their source code in a database or in libraries. To analyze this source code with Veracode, you must first extract the COBOL source code from the database into plain source files that Veracode can scan. These files must be discrete source files, rather than partitioned data sets or other proprietary extraction format.

The system management team with the necessary system administration privileges normally extracts the code from the host system. The extraction process follows the same process during data and system migration and for analysis in source code management systems such as Serena Changeman ZMF.

In the case of IBM iSeries, the code is organized into libraries (similar to directories) and source physical files with multiple members containing the source code items. The extraction script typically uses system commands to extract code from libraries to system files that you can then transfer to an external system for upload to Veracode. Due to the mainframe security restrictions and implementation differences between different systems, Veracode recommends contacting your IT system management team to discuss the extraction process and scanning of COBOL programs.

You must compress all COBOL source files of the same application in a supported archive file format such as .zip. When uploaded to an application profile on the Veracode Platform, COBOL source files are automatically recognized and correctly routed for scanning.