Similarly as SAP is during
security checks of the standard software that they are delivering they offering
tools enabling doing of the same for customers. There is a tool called "SAP NetWeaver Application Server add-on for
code vulnerability analysis" or also known as Code Vulnerability Analyzer (CVA). The tool carries out a static analysis of the custom
ABAP source code in order to reveal possible security risks.
The tool is available in
NetWeaver ABAP Stack based deployments starting with version:
7.0 NetWeaver: in EHP2 SP 14
or higher
7.0 NetWeaver: in EHP3 SP 09
or higher
7.3 NetWeaver: in EHP1 SP 09
or higher
7.4 NetWeaver: in SP05 or
higher
In order to use the CVA tool
first execution of system wide security checks needs to be enabled with report
RSLIN_SEC_LICENSE_SETUP. Afterwards in standard ABAP code checking tools like:
ABAP Test Cockpit (ATC), Code Inspector (SCI), and extended program check; the
security checks are available. Option of these checks is usually called: "Security
Analyses in Extended Program Check". Also notice that the tool has several
limitations -> see SAP Notes below for details.
Notice that usage of the
security check features for custom code is licensed separately and there are
additional costs incurred.
-
update 2022NOV22-
There are following other tools that can be used to scan ABAP code:
- t-code CODE_SCANNER (prog AFX_CODE_SCANNER)
- program RS_ABAP_SOURCE_SCAN
- program RS_B4HANA_CODE_SCAN – specific to BW systems, included in BW/4 Starter-Addon
More information:
1855773 - Security
checks for customer-specific ABAP programs
1697494 - Customer
Code Scans
1841643 - Customer
Security Vulnerability Scans
1949276 - Code
vulnerability analyzer: Restrictions
No comments:
Post a Comment