The SAP Code Vulnerability Analyzer is an ABAP program which allows you to search for potential security vulnerabilities in ABAP source code. Using its built-in dataflow detection logic, the code vulnerability analyzer will be able to reduce the number of found false positives by eliminating findings where the data used in potentially dangerous expressions is coming from safe sources. Although the code vulnerability analyzer can be used standalone or via the SAP CodeInspector, it is recommended to be used solely via the ABAP Test Cockpit (ATC), as for instance exemptions can be used only with ATC.
The tool comes with extensive documentation, assisting a developer to fix the findings reported by the tool. The navigation support in ATC was improved to not only allow navigation to the potentially vulnerable statement but also to code identified by the dataflow logic as manipulating the input to the potentially vulnerable statement.
The code vulnerability analyzer is a separate licensed feature which is disabled by default.
The product is available with:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14
SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09
SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09
SAP NetWeaver AS ABAP 7.4 Support Package 05
By utilizing the code vulnerability analyzer, you can check development objects for security vulnerabilities like
- SQL Injections
- ABAP Code Injections
- OS Command Injections
- Insufficient protection against directory traversal attacks
- Missing or incorrect authorization checks
ABAP Test Cockpit: The ABAP Test Cockpit (ATC) is an ABAP check toolset which allows running static checks and unit tests for your ABAP development objects.
Code Inspector: The Code Inspector is a tool for checking static ABAP coding and DDIC objects, also allowing customers to execute own checks (transaction SCI)
Extended syntax check: The extended syntax check performs complex source code analyses for one single program (transaction SLIN)
SAP Note 1697494 - Customer Code Scans