|
I'll point out that the do mention other scanning tools
https://appdefensealliance.dev/casa/tier-2/tooling-matrix
Including SONAR, which actually does offer static analysis of RPG code.
https://www.sonarsource.com/knowledge/languages/rpg/
However, the RPG scanning requires an Enterprise (read $$$) license. And
from what I see in the rules, there's only one related to OWASP.
https://rules.sonarsource.com/rpg/tag/owasp/RSPEC-4507/
Delivering code in production with debug features activated is
security-sensitive. It has led in the past to the followingvulnerabilities:
Veracode is also listed and apparently has some support for RPG
- CVE-2018-1999007
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007>
- CVE-2015-5306
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306>
- CVE-2013-2006
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006>
https://docs.veracode.com/r/r_supported_table
HTH,
Charles
On Mon, Oct 16, 2023 at 10:33 AM Brad Stone <bvstone@xxxxxxxxx> wrote:
I'm getting the runaround with application approval by Google.log-in
First they requested credentials to test my app that works with Google
Drive. I told them they would need to find an IBM i and a google account
and they could test all they wanted.
So, then they came back with:
-
Follow the CASA Tier 2 procedures
<https://appdefensealliance.dev/casa/tier-2/tier2-overview> to self
scan
your application
- Fix any high severity CWEs flagged by your scan
- Register <https://rc.products.pwc.com/login/casa/register> or
<https://rc.products.pwc.com/login/casa/> to the CASA portal andwith
initiate your security assessment
- Submit your scan results and fill out the CASA questionnaire on the
portal
- Receive the results and validation report in the CASA portal
- The CASA portal will automatically share the Letter of Validation
Looking at the test, it appears to be made for APKs, Java, etc.
When I explained it would be impossible (and least when I looked at it
quickly) they came back with:
"Since your application is written in an unsupported outdated language it
will fail CASA, as CASA requires all applications to be up to date with
security practices and utilizes patched/updated packages and programming
languages. This is to ensure the privacy and security of your application
and your users private data. "
I know I know.. "just do it in open source"... nah. I think IBM needs to
hear what Google things of RPGLE and their platform.
The whole point of this is to give access to APIs on the "native" side of
the IBM i. The last thing I want to do is help customers set up open
source.
Bradley V. Stone
www.bvstools.com
Native IBM i e-Mail solutions for Microsoft Office 365, Gmail, or any
Provider!--
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.