2

We are writing a large application using IBM Integration Bus and using ESQL as major language for transformation. We are investigating CheckMarx for static code analysis and scanner. But CheckMarx does not support ESQL out of the box.

Is it possible to write a custom plugin for CheckMarx, to make to able to scan and analyse ESQL code as well? I can't find any online resource for the same.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Aakash
  • 2,029
  • 14
  • 22

2 Answers2

1

When using Checkmarx, it is quite easy to create your own custom queries and fine tune the scans for the supported languages.

Since esql files are not yet supported by Checkmarx, it means esql is not parsed. It is not possible to write a custom plugin.

You can contact Checkmarx Support and ask if scanning esql is planned in the future.

yaloner
  • 715
  • 2
  • 6
  • 19
  • Thank you @yaloner. But it does not answer my question. Is it possible to write a custom plugin for CheckMarx? – Aakash Jun 01 '16 at 04:06
  • No, it is not possible. Added it to my answer. – yaloner Jun 01 '16 at 04:20
  • Thank you. Selected as answer now. :) – Aakash Jun 01 '16 at 04:31
  • Have you had any traction on this issue over the past 2 years. I also am curious about Informix support. – ojblass May 10 '18 at 15:44
  • @ojblass No. I have left that company altogether and I do not have any idea about how they are doing it. The latest I knew is that no tool was being used for static code analysis when I left the company. – Aakash May 12 '18 at 07:15
0

The selected answer is not entirely true. Informix ESQLC files are first parsed and intermediate C files are created. This means that Checkmarx's support for the C programming language could be used to accommodate the files provided you use the -keep option when generating the intermediate files. The same is true for 4GL files that Informix uses. The major problem here is that it would be difficult to map the original source line to the generated C code's line. The results would be hard to consume.

ojblass
  • 21,146
  • 22
  • 83
  • 132
  • This question is related to the IBM Integration Bus which has Extended SQL see tag [[tag:extended-sql]], it is not related embedding SQL statements in a host language such as C, see tag [[tag:embedded-sql]], which your answer seems to be referencing. – JoshMc May 10 '18 at 22:03