Re: RPG is outdated and unsupported.. according to Google -- RPG400-L

Ya, I'm not giving my code for scanning. That's redic. :)

On Tue, Oct 17, 2023 at 9:05 AM Charles Wilt <charles.wilt@xxxxxxxxx> wrote:

I'll point out that the do mention other scanning tools
https://appdefensealliance.dev/casa/tier-2/tooling-matrix

Including SONAR, which actually does offer static analysis of RPG code.
https://www.sonarsource.com/knowledge/languages/rpg/

However, the RPG scanning requires an Enterprise (read $$$) license. And
from what I see in the rules, there's only one related to OWASP.
https://rules.sonarsource.com/rpg/tag/owasp/RSPEC-4507/

Delivering code in production with debug features activated is

security-sensitive. It has led in the past to the following

vulnerabilities:

- CVE-2018-1999007
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007>

- CVE-2015-5306
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306>

- CVE-2013-2006
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006>

Veracode is also listed and apparently has some support for RPG
https://docs.veracode.com/r/r_supported_table

HTH,
Charles

On Mon, Oct 16, 2023 at 10:33 AM Brad Stone <bvstone@xxxxxxxxx> wrote:

I'm getting the runaround with application approval by Google.

First they requested credentials to test my app that works with Google
Drive. I told them they would need to find an IBM i and a google account
and they could test all they wanted.

So, then they came back with:

-

Follow the CASA Tier 2 procedures
<https://appdefensealliance.dev/casa/tier-2/tier2-overview> to self
scan
your application
- Fix any high severity CWEs flagged by your scan
- Register <https://rc.products.pwc.com/login/casa/register> or

log-in

<https://rc.products.pwc.com/login/casa/> to the CASA portal and
initiate your security assessment
- Submit your scan results and fill out the CASA questionnaire on the
portal
- Receive the results and validation report in the CASA portal
- The CASA portal will automatically share the Letter of Validation

with

Google

Looking at the test, it appears to be made for APKs, Java, etc.

When I explained it would be impossible (and least when I looked at it
quickly) they came back with:

"Since your application is written in an unsupported outdated language it
will fail CASA, as CASA requires all applications to be up to date with
security practices and utilizes patched/updated packages and programming
languages. This is to ensure the privacy and security of your application
and your users private data. "

I know I know.. "just do it in open source"... nah. I think IBM needs to
hear what Google things of RPGLE and their platform.

The whole point of this is to give access to APIs on the "native" side of
the IBM i. The last thing I want to do is help customers set up open
source.

Bradley V. Stone
www.bvstools.com
Native IBM i e-Mail solutions for Microsoft Office 365, Gmail, or any

Cloud

Provider!
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.