This document tries to answer the most important questions about the Remote Code Analysis in ABAP Test Cockpit (ATC).
With the SAP NetWeaver AS ABAP 7.51 innovation package SAP customers and partners can perform Remote Code Analysis in ATC which allows to analyze remotely with the latest checks custom code even in older systems using only one system for ATC (SAP_BASIS >= 7.51).
For more information about Remote Code Analysis in ATC please take a look at the Remote Code Analysis in ATC – One central check system for multiple systems on various releases.
If you have common questions, which should be answered in this collection, you can propose them here, in case you are interested to discuss more specific topics please take part at the forum/discussions.
- What are the total license costs for the initial setup of ATC including the new SAP NetWeaver AS for ABAP 7.51 or 7.52 system? Do we have to extend every developer license?
- Do we really need one extra system for only running ATC? Do we need then one central ATC for all systems in the system landscape?
- Do I need to implement any special SAP Note in older SAP systems?
- Do we need to pay separate license costs for security checks?
- What does Code Vulnerability Analysis (CVA) deliver additionally to ATC?
- Can I reuse our SAP Solution Manager system for setting up the ATC central system there?
- What about the integration into the ChaRM prozess? Can I track the ATC check results in the Solution Manager?
- Can I set the central ATC system equal to the central CCLM system?
- ChaRM: Is it possible to run ATC checks at status change to “To Be Tested” analogous to “Critical Objects”?
- Is it possible to check only new ABAP code during transport release in Transport Management System and let the old ABAP code pass?
- Can the ATC check runs be planned periodically?
- Can the ATC checks be integrated into the standard syntax check?
- Is the state of the approvals held on the ATC central check system or on the local checked system?
- How is the finding exactly referenced (code or source code line)?
- How expensive are remote ATC checks with respect to memory usage, execution time etc.?
- What about release dependent ATC checks? Various AS ABAP releases may contain different ABAP statements and commands, which must be checked differently.
- The ATC can be configured so, that it will run during transport release and the transport request will not be released in case of errors or warnings. Is this automatic check also planned for release of tasks and transport of copies?
- Can I restrict the ATC check only to my custom code (no check for SAP code)?
- Does the central ATC system need to know the release of the checked system e.g. to check differently if applicable?
- Can I extend the scope of the Remote Stubs, e.g. in order to add specific DDIC information for my own remote checks?
- We practice “collective code ownership”. Is there a way to address findings to the last user, instead of to the person responsible for the object?
- Can I mark already processed findings?
- During ATC remote checks run: will the ABAP Unit tests run on the local system?
- Is a check for searching pragmas or pseudo-comments are also planned? Background: Detect and approval process for unwanted pragmas (configurable)?
- Are there ATC checks for Web Dynpro?
- What happens to my exemption when I change the coding?
- Is it possible for a customer to scan partner add-ons?
- Is it possible to run ATC checks when releasing transport tasks?
- Which BAdIs can I use to implement extension points for ATC?
ABAP Test Cockpit is part of the SAP NetWeaver license. Since the ATC central check system acts only as runtime system for the ATC checks, there are no additional license costs.
The prerequisite for the additional security checks is the installation of SAP NetWeaver AS, add-on for Code Vulnerability Analysis (CVA) which is the separate fee-based product with additional license costs.
We recommend to setup one extra system for ATC. This system can check with ATC multiple systems in your landscape.
Yes, you need to implement the SAP Note 2270689 in older SAP Systems. For the future developer scenario you will need to implement further SAP Notes, which will be provided later.
Yes. SAP NetWeaver AS, add-on for Code Vulnerability Analysis (CVA) is the separate fee-based product with additional license costs.
Further information about CVA is on the SAP Community Wiki: SAP NetWeaver Application Server, Add-On for Code Vulnerability Analysis
ATC provides general check infrastructure including standard checks for functional correctness and performance. CVA delivers additional security checks, which can be integrated into ATC.
We recommend a really new system as ATC central system. The Solution Manager is currently based on a low SAP NetWeaver release (SolMan 7.2 is based on SAP NetWeaver 7.4). Besides this you would need to upgrade Solution Manager system each time you want to apply new ATC checks, that is the unnecessary effort.
Yes, the ATC is integrated into the ChaRM process. Just with the Solution Manager 7.2 the display of ATC results was improved. When the request is released by ChaRM, the results are displayed in the Solution Manager.
See also how ATC checks are integrated into the ChaRM in the Solution Manager 2.0 documentation on SAP Help Portal
Since the CCLM system is currently based on the Solution Manager, you cannot set the central ATC system equal to the central CCLM system.
The ATC checks run automatically only if the status is set to „Successfully Tested“(during release of original tasks). But you can also run ATC checks any time on demand (is possible starting with Solution Manager 7.2 SP3)
By making use of the baseline in the ATC, findings in old ABAP code can be excluded. Only when new findings are added or if ABAP statements are changed within the old findings, these findings will be reported again. The baseline concept is available with SAP NetWeaver AS ABAP 7.51 innovation package. See also the SAP Community blog Remote Code Analysis in ATC – Working with Baseline to suppress findings in old legacy code.
Yes, the ATC check runs can be planned periodically on the ATC central system. For more information see Scheduling Run Series in the Central System on the SAP Help Portal.
No, it is currently not possible. However, we plan to integrate the ATC into the activation process so that the current ATC results are obtained after the activation of an ABAP object.
On the ATC central check system.
A hash (from the code) is generated for each result. As long as it does not change, the line can also move.
During an ATC check run, an object model is created in the checked system and transferred to the ATC central check system. The various checks are performed on this model in the ATC central check system. The object models are stored in a cache to minimize the time taken to create and transfer the model.
Memory consumption is strongly dependent on the number and complexity of the objects to be checked.
This release dependency is taken into account in the ATC checks and explained in the checks documentation.
The ATC can be configured so, that it will run during transport release and the transport request will not be released in case of errors or warnings. Is this automatic check also planned for release of tasks and transport of copies?
It is planned to configure the automatic ATC check so that it is executed during the tasks release. Implemented with the SAP note 2495410.
You can configure which objects will be checked (e.g. all objects of a package). With AS ABAP 7.52 the coverage of checked source code was improved and the findings in SAP includes and generated code are ignored.
An extension for your own remote checks is not yet planned.
This is not currently possible. However, such a functionality is planned in the future.
This is not currently possible. However, such a functionality is planned in the future.
The ABAP Unit tests must always be executed on the local system. This task cannot be carried out by the ATC central system.
A check for searching pragmas or pseudo-comments is currently not planned. It is, however, possible to configure ATC check runs in such a way that the results are displayed despite pragmas / pseudo-comments.
For more information see Configuring Run Series in the Central System on the SAP Help Portal.
The remote ATC checks are currently not applicable for Web Dynpro / Dynpro
If you request an exemption for a single finding, this exemption will be valid as long as you don’t change the coding or the relevant context of that finding. As long as you only change coding that does not affect the finding (for example you change something in line 20 of an include and the finding marks code in line 200), the finding will be recognized as the same and thereby also the exemption stays valid.
In case you as a customer want to scan partner add-ons in your system you have to register the namespace of the add-on via the report SATC_AC_INIT_NAMESPACE_REG.
You can check the documentation of the report for further details. In system older than SAP NetWeaver AS ABAP 7.50 you have to apply the SAP note 2215288 to enable this feature.
Yes, this is possible. You have to enable this feature by applying the SAP note 2495410.
You can implement SATC_CONTACT_PERSON to determine contact person of a development object (default is TADIR-AUTHOR) and SATC_USER_ACCOUNT to determine email address of a user (default is from user data of transaction SU02).
No, there is currently no automatic check by the ATC.