Re: Source code review package? -- MIDRANGE-L

David,

I follow, in a passive sort of way, the secure coding mailing list
<http://securecoding.org/list/>. I have seen much discussion of tools
to examine source code for vulnerabilities, but I remember nothing that
struck me as useful for the system i.

It is sad that the system allows a program to construct names of
programs and commands a run-time. Necessary, perhaps, but still sad.
The ability to split a token across source lines also confounds scanning
source code.

DSPPGMREF does show you when the called name of a program is variable,
which helps a bit. But I, fer shur, cannot list all the ways of
executing something.

Sigh!

Terry.

On Fri, 2008-10-10 at 14:28 -0500, David Gibbs wrote:

Folks:

I've got a customer that's looking for some kind of 'code review' tools that might exist.

Basically, they're looking to scan their source code and look for things like specific commands the developers potentially shouldn't be using, like GRTOBJAUT, or maybe a hard-coded account number. This would probably be some type of scan utility where they could fill in some variables that the tool would scan for.

Has anyone run across anything like that? I don't know if such a thing even exists.

Thanks!

david

--
IBM i on Power - For when you can't afford to be out of business

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.