rspec/rules/S4507/cobol/rule.adoc

Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007[CVE-2018-1999007]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306[CVE-2015-5306]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006[CVE-2013-2006]

Debug statements (ones with 'D' or 'd'  in the indicator area) should not be executed in production, but the ``++WITH DEBUGGING MODE++`` clause activates all debug lines, which could expose sensitive information to attackers.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
SOURCE-COMPUTER. IBM-370 WITH DEBUGGING MODE.
----

== Compliant Solution

----
SOURCE-COMPUTER. IBM-370.
----

include::../see.adoc[]
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007[CVE-2018-1999007]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306[CVE-2015-5306]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006[CVE-2013-2006]`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Debug statements (ones with 'D' or 'd' in the indicator area) should not be executed in production, but the ``++WITH DEBUGGING MODE++`` clause activates all debug lines, which could expose sensitive information to attackers.
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`SOURCE-COMPUTER. IBM-370 WITH DEBUGGING MODE.`
			`----`

			`== Compliant Solution`

			`----`
			`SOURCE-COMPUTER. IBM-370.`
			`----`

			`include::../see.adoc[]`