Client rule

IBM® ZCodeScan runs the scan based on the predefined set of rules. The IBM ZCodeScan rules file is a YAML file that contains a list of rules that needs to be applied on codebase.

This rule file can be modified based on the requirement. You can add or delete the rules from the YAML file. You can also overwrite the severity by modifying the parameter in the rule file.
Note: If you do not specify rules in the IBM ZCodeScan rules file in the IBM ZCodeScan command line, by default, all the rules will apply on workspace with their default severity.

Structure and parameters

The IBM ZCodeScan rule file includes the following parameters:
  • rules: Contains a list of IBM ZCodeScan rules that are applied.
  • id: A unique identification for the rule.
  • severity: Severity is indicated by the following levels: BLOCKER, HIGH, MEDIUM, LOW, and INFO.
  • statements: List of statement on which this rule should be applied.
  • name: Name of the statement.
  • value: This field accepts different values based on usage. The value can be a boolean (true or false), a string, or an integer.
An example of the IBM ZCodeScan rule file is as follows:
rules:
  - id: zcodescan.cobol.rules.ProgramIdRule
    severity: INFO
  - id: zcodescan.cobol.rules.CallSyntaxRule
    severity: INFO
  - id: zcodescan.cobol.rules.SqlWhereRule
    severity: HIGH
    statements:
      - name: "Select"
        value: true
      - name: "Delete"
        value: true
      - name: "Update"
        value: true
  - id: zcodescan.cobol.rules.RequireEndClauseRule
    severity: HIGH
    statements:
      - name: "If"
        value: true
      - name: "Evaluate"
        value: true
      - name: "Read"
        value: true
      - name: "Search"
        value: true
      - name: "Call"
        value: true
  - id: zcodescan.cobol.rules.AcceptRule
    severity: INFO
  - id: zcodescan.cobol.rules.GotoRule
    severity: INFO
  - id: zcodescan.cobol.rules.GotoParagraphRule
    severity: MEDIUM
  - id: zcodescan.cobol.rules.UnprotectedAuthCredentialRule
    severity: HIGH
  - id: zcodescan.cobol.rules.BufferOverflowRule
    severity: INFO
  - id: zcodescan.cobol.rules.UninitialzedVariablesRule
    severity: INFO    
  - id: zcodescan.cobol.rules.AcceptDateTimeRule
    severity: MEDIUM
  - id: zcodescan.cobol.rules.SqlInjectionRule
    severity: INFO
  - id: zcodescan.cobol.rules.StopRunRule
    severity: MEDIUM

For the complete list of available rules, see Defining Rules.