Technical Articles
Remote Code Analysis in ATC – One central check system for multiple systems on various releases
This is the first blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).
See also blogs:
ATC Introduction
For those of you, who are using Code Inspector (SCI) and are not familiar with ABAP Test Cockpit (ATC) yet, it is SAP’s central quality assurance infrastructure for static functional, performance and security code checks, which bundles together the well-known and widely used quality tools like syntax check, SLIN, ABAP Unit, security checks and is extensible for your custom checks. ATC reuses Code Inspector checks and significantly improves the code quality by offering the uniform quality criteria for the whole development landscape and establishing new quality assurance processes (quality gates, exemptions, mass regression tests) to minimize errors in productive systems. Beyond this ATC is the toolset of choice to achieve the smooth migration of ABAP code to SAP HANA and SAP S/4HANA by means of special SAP HANA and SAP S/4HANA checks.
A very good general overview about ATC is in the blog ABAP Test Cockpit – an Introduction to SAP’s new ABAP Quality Assurance Tool. ATC is also integrated in the ABAP Development Tools in Eclipse (ABAP Test Cockpit for Developers in Eclipse).
Limitations
Imagine you have older systems (SAP_BASIS >= 7.00) with your own custom code base and would like to execute the latest security checks and SAP S/4HANA readiness checks for your custom code in order to get compliant to the increased corporate security requirements and prepare your code for the SAP S/4HANA migration.
One problem is, the ATC is only available with SAP_BASIS 7.02 therefore it isn’t present in your older systems at all. Another problem is, to apply uniform quality criteria for all your systems, the same checks must be in every system you want to check, that is not the case in heterogeneous landscapes with SAP_BASIS 7.02, 7.40, 750 and so on: every release has different checks. Besides this, the security checks are only available for SAP_BASIS 7.02 and the newest checks, e.g. for SAP S/4HANA readiness are only available with the SAP NetWeaver AS for ABAP 7.51 innovation package. Therefore it looks like you cannot apply the checks at all.
In fact, the way to tackle this problem is not easy: you need to upgrade the whole system landscape to the latest SAP release and support package level and run ATC with the latest checks on each upgraded system. It means on the one side a big administration overhead, on the other side the upgrade might neither be intended currently at your company nor possible at all. As a consequence, the compliance with the increased corporate security requirements cannot be verified and your custom code cannot be prepared for the SAP S/4HANA.
Solution – Remote Code Analysis in ATC
So, how to apply the newest checks to all your systems in SAP landscape without having to upgrade each of them?
Starting with the SAP NetWeaver AS ABAP 7.51 innovation package SAP customers and partners can perform remote code analysis in ATC which allows to analyze remotely with the latest checks custom code even in older systems using only one system for ATC (SAP_BASIS >= 7.51).
You would need to set up one centralized SAP NetWeaver AS ABAP 7.51 or 7.52 (SAP_BASIS only) system as ATC check system and run ATC with the latest checks centrally in one system checking multiple systems in your landscape. You don’t need to upgrade your whole system landscape and can apply the latest checks.
For the problematic use case from above it means, by setting up one central ATC check system using remote code analysis, you can apply the latest security checks and SAP S/4HANA readiness checks for your whole system landscape.
Setup
All you need to do is to install and configure one ATC central check system: pure SAP Basis System (SAP_BASIS >=7.51) within your SAP system landscape. ATC check variant is maintained only in the ATC central check system and must be RFC-enabled.
During ATC execution the central check system accesses remotely the systems in your landscape through so-called Remote stubs using RFC connection. Remote stubs serve as interface between ATC central check system and checked systems and return a model from custom code which needs to be checked.
See the blog Remote Code Analysis in ATC – Technical Setup Step by Step for more details.
PLEASE NOTE: not all central ATC checks can be run against all releases in your system landscape. As an example, ATC checks for ABAP CDS don’t make sense on older releases. You have to check carefully whether the checks used will work against the release.
Advantages
The advantages of using ATC remote code analysis are obvious:
- Small impact on existing system landscape: no upgrade to the latest SAP release necessary
- The central check system can be installed independently with low effort (no upgrade, no test for business processes)
- One ATC central system can be used to check multiple SAP systems
- Latest checks can be applied by upgrading the central check system only.
- One quality standard for the whole system landscape possible, independent of uses releases in the development systems
- All new checks will be implemented by SAP only in new releases
- Administrative tasks only in the central system, e.g. maintain check variant
- Centralized handling of exemptions
- Baseline concept in case you want to suppress the findings from old legacy code
Hi Olga,
We are planning to setup Central ATC system and checking on sizing part. We will be connecting around 50 systems to central ATC system. Would you be able to guide us on the size of the systems in terms of memory /CPU/Apps needed to set this up.
Regards
Hi Kavita,
the sizing recommendation for the central ATC check system is provided in the blog https://blogs.sap.com/2016/12/13/remote-code-analysis-in-atc-technical-setup-step-by-step/ in the chapter "Technical Requirements". The sizing of the checked systems is irrelevant for remote scans with ATC.
Kind Regards,
Olga.
Thanks Olga!
Hello Olga
We have procured a Central Check system and set up ATC and CVA checks to run through it. The functionality works well when our Managed systems is S/4 HANA. There are few tool failures but that we had overcome after implementing relevant notes.
However, the behaviour is completely different when our Managed system is Netweaver (SAP_Basis 750 SP19 or less). Most of the checks configured over Central check variant are not usable. We observe an error that a particular check is not a "Psuedo enabled check". For example - we had enabled below checks for our ECC system (SAP Basis 750 SP19) on Central check system.
But when connected with ECC box - we receive an error that below checks are not Pseudo enabled.
============================================================================
1. Abap Dictionary Checks --> References to generated SQL views of CDS View in ABAP development objects
2. Abap Dictionary Checks --> References to generated SQL views of CDS View in dictionary objects
3. Security Checks --> DDIC: DB Tables (Logging Check)
4. General Checks --> BAPI Consistency Check
5. Core Data Services (CDS) --> Syntax Check/Generation --> Complexity of CDS Views
6. Core Data Services (CDS) --> Syntax Check/Generation --> Syntax Check for DCL Sources
7. Core Data Services (CDS) --> Syntax Check/Generation --> Status Check for DCL Sources
8. Core Data Services (CDS) --> Syntax Check/Generation --> CDS Access Control Attributes of CDS Views
9. Abap Dictionary Checks --> DDIC/CDS: Check Activation
10. Abap Dictionary Checks --> DDIC/CDS: Check for partly active object
11. Core Data Services (CDS) --> General Checks --> Annotation Check for Data Definations
12. Core Data Services (CDS) --> General Checks --> Referenced objects in CDS
13. Core Data Services (CDS) --> Syntax Check/Generation --> Syntax Check for CDS Metadata Extensions
14. Proxy Checks --> Proxy Checks
15. Core Data Services (CDS) --> General Checks --> SADL Runtime Checks
16. User Interfaces --> Analyse 'SAP Scripts' Documents
17. Dynamic Test --> ABAP Unit
18. User Interfaces --> Web Dynpro Component - Conventions
============================================================================
As you see, we have ended up removing a lot of checks that are required but since its not supported, the project teams shy away from using Central check system for their ATC and CVA runs.
Isn't this over shadowing the benefit of Central check system and not upgrading the Managed system to latest release?
Regards
Anuj
Hi Anuj,
thank you very much for your detailed description and feedback. We have already recognized that while assigning checks to a check variant, customers don't have information whether the checks assigned to the variant will be compatible with a specific release in a checked system, and the compatibility of checks can currently only be verified by defining a new run series, what is too late. This issue is already in our development backlog.
Thank you again.
Kind Regards,
Olga.
Hi Olga
Thank you for your response. Indeed, that would be great to know before hand whether a check is compatible or not when this functionality is made available.
My concern is more around the benefits a Central check system shall provide to run the checks that are not available because of lower available release on Managed system. However, we don't seem to be enjoying that benefit because ir-respective a check is configured locally or centrally, we won't be able to run those checks.
Regards
Anuj