RPG4 Scan rules
Contrast Scan supports these rules for RPG4.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Connection String Parameter Pollution | OPT.RPG4.SEC.ConnectionStringParameterPollution | ConnectionStringParameterPollution: Connection string polluted with untrusted input |
Critical | Cross Site Scripting | OPT.RPG4.SEC.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | OS Command Injection | OPT.RPG4.SEC.OSCommandInjection | OSCommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Critical | Process Control | OPT.RPG4.SEC.ProcessControl | ProcessControl: Avoid calling subprogram where its name could be controlled by user input |
Critical | Regex Injection | OPT.RPG4.SEC.RegexInjection | RegexInjection: Prevent denial of service attack through malicious regular expression ('Regex Injection') |
Critical | Resource Injection | OPT.RPG4.SEC.ResourceInjection | ResourceInjection: Improper Control of Resource Identifiers ('Resource Injection') |
Critical | SQL Injection | OPT.RPG4.SEC.SqlInjection | SqlInjection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Critical | Alloc Heap Misuse | OPT.RPG4.REL.AllocHeapMisuse | AllocHeapMisuse: Check that allocated memory is properly freed |
Critical | Path Manipulation | OPT.RPG4.SEC.PathManipulation | PathManipulation: External Control of File Name or Path |
Critical | Read Record Before Update Delete | OPT.RPG4.SEC.ReadRecordBeforeUpdateDelete | ReadRecordBeforeUpdateDelete: A record UPDATE or DELETE operation must be preceeded by a record read operation (CHAIN or READxxx) |
Critical | Special Authority Granted | OPT.RPG4.SEC.SpecialAuthorityGranted | SpecialAuthorityGranted: Least privilege failure due to special authority granted |
Critical | Unexpected Key Select | OPT.RPG4.SEC.UnexpectedKeySelect | UnexpectedKeySelect: Authorization Bypass Through User-Controlled SQL Primary Key |
Critical | Check Crypto Return Code | OPT.RPG4.SEC.CheckCryptoReturnCode | CheckCryptoReturnCode: Validate return code for cryptographic operations |
Critical | Hardcoded Crypto Key | OPT.RPG4.SEC.HardcodedCryptoKey | HardcodedCryptoKey: Use of Hard-coded Cryptographic Key |
High | Ldap Injection | OPT.RPG4.SEC.LdapInjection | LdapInjection: Avoid non-neutralized user-controlled input in LDAP search filters. |
High | Log Forging | OPT.RPG4.SEC.LogForging | LogForging: Improper Output Neutralization for Logs |
High | Avoid Binary Declarations | OPT.RPG4.AvoidBinaryDeclarations | AvoidBinaryDeclarations: Avoid to declare variables of binary type |
High | Const Params When Not Modified | OPT.RPG4.ConstParamsWhenNotModified | ConstParamsWhenNotModified: To use 'Const' in parameters of subprocedures that are not modified |
High | Initialize Variables | OPT.RPG4.InitializeVariables | InitializeVariables: Initialize each variable in its declaration |
High | Call Parameter Mismatch | OPT.RPG4.REL.CallParameterMismatch | CallParameterMismatch: Parameter mismatch in CALL |
High | Pointer Arithmetic | OPT.RPG4.SEC.PointerArithmetic | PointerArithmetic: Avoid pointer arithmetic in RPG |
High | Hardcoded Ip | OPT.RPG4.SEC.HardcodedIp | HardcodedIp: Do not write IP address in source code |
High | No Active Debug Rule | OPT.RPG4.SEC.NoActiveDebugRule | NoActiveDebugRule: Information Exposure Through Debug Information |
High | Position Before Read File | OPT.RPG4.SEC.PositionBeforeReadFile | PositionBeforeReadFile: Every READE command must be preceeded by SETLL |
High | Sensitive Security Api Call | OPT.RPG4.SEC.SensitiveSecurityApiCall | SensitiveSecurityApiCall: Call to sensitive Security API element. |
High | Insecure Randomness | OPT.RPG4.SEC.InsecureRandomness | InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks |
High | Insufficient Key Size | OPT.RPG4.SEC.InsufficientKeySize | InsufficientKeySize: Weak cryptography, insufficient key length |
High | Weak Crypto Hash | OPT.RPG4.SEC.WeakCryptoHash | WeakCryptoHash: Weak cryptographic hashes cannot guarantee data integrity |
High | Weak Encryption Algorithm | OPT.RPG4.SEC.WeakEncryptionAlgorithm | WeakEncryptionAlgorithm: Weak encryption algorithm |
Info | Avoid Capital Specification | OPT.RPG4.AvoidCapitalSpecification | AvoidCapitalSpecification: Use small letters for certain sections |
Info | Avoid Hard Coding | OPT.RPG4.AvoidHardCoding | AvoidHardCoding: Declare constants instead of string and integer literals |
Info | Avoid Old Opcodes | OPT.RPG4.AvoidOldOpcodes | AvoidOldOpcodes: Avoid old computations in RPG IV |
Info | Capital Logical Operator | OPT.RPG4.CapitalLogicalOperator | CapitalLogicalOperator: Logical operators must be coded in upper-case |
Info | Comments In Program | OPT.RPG4.CommentsInProgram | CommentsInProgram: Place comments in the header and on each procedure declaration of a RPG program |
Info | Declarations Order | OPT.RPG4.DeclarationsOrder | DeclarationsOrder: Elements declaration order in RPG programs / procedures |
Info | Format H Specifications | OPT.RPG4.FormatHSpecifications | FormatHSpecifications: Control specifications must begin at column 8 |
Info | Store Copy Prototype | OPT.RPG4.StoreCopyPrototype | StoreCopyPrototype: To copy prototypes when it is necessary |
Info | Use B I F Instead Op Code | OPT.RPG4.UseBIFInsteadOpCode | UseBIFInsteadOpCode: Use built-in functions instead of operations codes |
Info | Use Eval For String Manipulation | OPT.RPG4.UseEvalForStringManipulation | UseEvalForStringManipulation: It is preferable to use the EVAL statement of free-format |
Info | Use Select Instead Cas Or Nested If | OPT.RPG4.UseSelectInsteadCasOrNestedIf | UseSelectInsteadCasOrNestedIf: Avoid complex IF ... ELSEIF, or CASxx |
Info | Password In Comment | OPT.RPG4.SEC.PasswordInComment | PasswordInComment: Avoid placing passwords and other sensitive info in code comments |
Low | Avoid Blocked Records | OPT.RPG4.AvoidBlockedRecords | AvoidBlockedRecords: Use (N) option to read records |
Low | Avoid Dangerous Conditional Sentences | OPT.RPG4.AvoidDangerousConditionalSentences | AvoidDangerousConditionalSentences: Do not use GOTO / TAG, CABXX and COMP statements |
Low | Avoid Display Operation | OPT.RPG4.AvoidDisplayOperation | AvoidDisplayOperation: Not to use the operation Display |
Low | Avoid From Column In Data Fields | OPT.RPG4.AvoidFromColumnInDataFields | AvoidFromColumnInDataFields: Avoid using columns to indicate the beginning of a field |
Low | Avoid Obsolete Loops | OPT.RPG4.AvoidObsoleteLoops | AvoidObsoleteLoops: Do not use IFxx, WHENxx, DOUxx and DOWxx operations |
Low | Avoid Read E In Loops | OPT.RPG4.AvoidReadEInLoops | AvoidReadEInLoops: Do not use READE operations within loops |
Low | Avoid Read P Read Pe | OPT.RPG4.AvoidReadPReadPe | AvoidReadPReadPe: Avoid READP and READPE |
Low | Avoid Special Chars | OPT.RPG4.AvoidSpecialChars | AvoidSpecialChars: Not to use special characters to define variables |
Low | Built In Functions With Params | OPT.RPG4.BuiltInFunctionsWithParams | BuiltInFunctionsWithParams: Use %EOF(), %FOUND() and %EQUAL() with parameters |
Low | Check Indicators Near Set | OPT.RPG4.CheckIndicatorsNearSet | CheckIndicatorsNearSet: Avoid excessive separation between assignment of an indicator and its usage |
Low | Close Opened Files | OPT.RPG4.CloseOpenedFiles | CloseOpenedFiles: Close all the opened files |
Low | End Block Instructions | OPT.RPG4.EndBlockInstructions | EndBlockInstructions: Use 'EndX' instructions instead of the generic 'End' |
Low | Eval Instead Of Set Move | OPT.RPG4.EvalInsteadOfSetMove | EvalInsteadOfSetMove: Use EVAL instead of SETON, SETOFF, MOVE and MOVEA with indicators |
Low | Include Procedure In Large Programs | OPT.RPG4.IncludeProcedureInLargePrograms | IncludeProcedureInLargePrograms: Avoid too long programs |
Low | Large Procedures | OPT.RPG4.LargeProcedures | LargeProcedures: Avoid too large procedures |
Low | Naming Conventions | OPT.RPG4.NamingConventions | NamingConventions: Some of naming conventions must be respected |
Low | Overlay Instead Positional Notation | OPT.RPG4.OverlayInsteadPositionalNotation | OverlayInsteadPositionalNotation: Avoid positional notation |
Low | Record Format In File Operations | OPT.RPG4.RecordFormatInFileOperations | RecordFormatInFileOperations: Use record-format in file operations |
Low | Use Free Format Syntax | OPT.RPG4.UseFreeFormatSyntax | UseFreeFormatSyntax: Use free-format syntax when available |
Low | Use Named Constants To Call Programs | OPT.RPG4.UseNamedConstantsToCallPrograms | UseNamedConstantsToCallPrograms: Use named constants with CALL and CALLB operations |
Low | Avoid Debug Control Sentences | OPT.RPG4.AvoidDebugControlSentences | AvoidDebugControlSentences: Do not use DEBUG in control-specification statements |
Medium | Format String Injection | OPT.RPG4.SEC.FormatStringInjection | FormatStringInjection: Exclude unsanitized user input from format strings |
Medium | Avoid Calling Modules | OPT.RPG4.AvoidCallingModules | AvoidCallingModules: Avoid call modules |
Medium | Avoid Declare Vbles In Calc Spec | OPT.RPG4.AvoidDeclareVblesInCalcSpec | AvoidDeclareVblesInCalcSpec: Avoid variable declarations in calculation specification |
Medium | Constant Instead Array Table | OPT.RPG4.ConstantInsteadArrayTable | ConstantInsteadArrayTable: If an array field is assigned just once, declare it as a constant |
Medium | Declare Date Properly | OPT.RPG4.DeclareDateProperly | DeclareDateProperly: Declare variables with the suitable type |
Medium | Improve Function Keys | OPT.RPG4.ImproveFunctionKeys | ImproveFunctionKeys: Avoid indicators *Inkx |
Medium | Include Inz Sr | OPT.RPG4.IncludeInzSr | IncludeInzSr: Include *InzSr subroutine in the main section of the RPG program |
Medium | Naming Indicators | OPT.RPG4.NamingIndicators | NamingIndicators: To name all the declared indicators |
Medium | Use Built In Instead Of Indicator | OPT.RPG4.UseBuiltInInsteadOfIndicator | UseBuiltInInsteadOfIndicator: Use built-in functions instead of indicators |
Medium | Use Only Call P | OPT.RPG4.UseOnlyCallP | UseOnlyCallP: Not use CALL nor CALLB |
Medium | Hardcoded Credential | OPT.RPG4.SEC.HardcodedCredential | HardcodedCredential: Use of Hard-coded Credentials |
Medium | Poor Error Handling | OPT.RPG4.SEC.PoorErrorHandling | PoorErrorHandling: Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticed |
Medium | Privacy Violation | OPT.RPG4.SEC.PrivacyViolation | PrivacyViolation: Exposure of Private Information |