COBOL is... Alive!

by freddy mallet|

    Most C, Java, C++, C#, JavaScript... developers reading this blog entry might think that COBOL is dead and that SonarSource should better focus its attention on more hyped languages like Scala, Go, Dart, and so on. But in 1997, the Gartner Group reported that 80 percent of the world's business ran on COBOL, with more than 200 billion lines of code in existence and an estimated 5 billion lines of new code annually. COBOL is mainly used in the banking and insurance markets, and according to what we have seen in the past years, the erosion of the number of COBOL lines of code used in production is pretty low. So not only is COBOL not YET dead, but several decades will be required to see this death really happen. We released the first version of the COBOL plugin at the beginning of 2010 and this language plugin was in fact the first one to embed our own source code analysis technology, even before Java, C, C++, PL/SQL, ... So at SonarSource, COBOL is a kind of leading technology :).

    Multiple vendor extensions and lack of structure

    The COBOL plugin embeds more than 130 rules, but before talking about those rules, let's talk about the wide range of different COBOL dialects that are supported by the plugin. Indeed, since 1959 several specifications of the language and preprocessor behavior have been published, and most COBOL compilers have extended those specifications. So providing an accurate COBOL source code analyser means supporting most of those dialects: IBM Enterprise Cobol, HP Tandem, Bull GCos, IBM Cobol II, IBM Cobol 400, IBM ILE Cobol, Microfocus AcuCobol, OpenCobol, ... which is the case for our plugin Moreover for those of you who are not familiar with COBOL source code: let's imagine a C source file containing 20,000 lines of code, no functions, and just some labels to group statements and to make it possible to "emulate" the concept of function. Said like this, I guess everyone can understand how easy it can be to write unmaintainable and unreliable COBOL programs.

    Need for tooling

    Starting from this observation, managing a portfolio of thousands of COBOL programs, each one containing thousands of COBOL lines of code, without any tooling to automatically detect quality defects and potential bugs is a bit risky. The SonarSource COBOL plugin allows to continuously analyse millions lines of COBOL code to detect such issues and here are several examples of the rules provided by the plugin:

    • Detection of unused paragraphs, sections and data items.
    • Detection of incorrect PERFORM ... THRU ... control flow, where the starting procedure is located after the ending one in the source code, thus leading to unexpected behavior.
    • Tracking of GO TO statements that transfer control outside of the current module, leading to unstructured code.
    • Copy of a data item (variable) into another, smaller data item, which can lead to data loss.
    • Copy of an alphanumeric data item to a numeric one, which can also lead to data loss.
    • Tracking of EVALUATE statements not having the WHEN OTHER clause (similar to an if without an else).
    • Detection of files which are opened but never closed.
    • ...

    And among those 130+ rules, 30+ target the SQL code which can be embedded into COBOL programs. One such rule tracks LIKE conditions starting with *. Another tracks the use of arithmetic expressions and scalar functions in WHEREconditions. And last but not least, here are some other key features of this SonarSource COBOL plugin :

    • Copybooks are analysed in the context of each COBOL program and issues are reported directly on those copybooks.
    • Remediation cost to fix issues is computed with help of the SQALE method:
    • Even on big COBOL applications containing thousands of COBOL programs and so potentially millions of lines of code and thousands of issues, tracking only new issues on new or updated source code is easy.
    • Duplications in PROCEDURE DIVISION and among all COBOL programs can also be tracked easily.
    • To make sure that code complies with internal coding practices, a Java API allows the development of custom rules.

    How hard it is to evaluate this COBOL plugin ?

    So YES, Cobol is alive, and the SonarSource COBOL plugin helps make it even more maintainable and reliable.