SAST for IBM z/OS: PL/I (and Cobol)

Release notes

Problem to solve

Add PL/I code analysis and security scanning. This is another language in the IBM ecosystem next to Cobol, and used in IBM z/OS.

Depending on the scope, Cobol security scanning could be integrated in the same way.

Intended users

• Cameron (Compliance Manager)
• Devon (DevOps Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)
• Allison (Application Ops)
• Priyanka (Platform Engineer)

User experience goal

• CLI/container for automated scanning
• MR report integration
• Security dashboard insights
• Optional: Deeper integration with IBM tools, e.g. URL references

Proposal

• Analyse AppScan CLI on z/OS
• Add GitLab runner support - in Docker ✅ or natively in Go gitlab-runner#27526 (closed)
• Execute scans
• Parse the results into the SAST reports format

This is a commercial platform, Open Source scanners may not exist or are hard to find. Proposal is to integrate with existing solutions, or use existing IBM tools on z/OS.

Collaborate with IBM and our alliances team to evaluate possible solutions. cc @vkelkar @GitlabAaron

Further details

GitLab Runner feature requests for IBMz and zOS:

• z/OS Mainframe support for GitLab CI Runner &3145 (closed)
• GitLab Runner on z/OS using IBM's native Golang compiler gitlab-runner#27526 (closed)

SAST to Complete epic: &2895 (closed)

• SAST languages: &297

Related insights into PL/I

• https://en.wikipedia.org/wiki/PL/I
• https://help.hcltechsw.com/appscan/Source/9.0.3/topics/command_line_interface_source_cli_start.html
• https://www.ibm.com/docs/en/raa/6.1?topic=assets-scanning-source-code
• https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers - lists Sonar Enterprise and a few other solutions
  • https://docs.sonarqube.org/latest/analysis/languages/pli/
  • https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer+-+Code+Inspection

Permissions and Security

Documentation

Availability & Testing

Available Tier

• Ultimate

What does success look like, and how can we measure that?

• MVC with a scanner integration and security MR integration works
• IBM OEM partnership leads increase

What is the type of buyer?

• https://about.gitlab.com/handbook/marketing/strategic-marketing/roles-personas/buyer-persona/#skyler---the-chief-information-security-officer
• Ultimate

Is this a cross-stage feature?

• Verify: Runner for the environment @DarrenEastman
• Secure: Static Analysis for SAST, MR, dashboards @connorgilbert

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.