Skip to Content

This is the fifth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).

See also blogs:

 

But what about developers?

For the Remote Code Analysis a central ATC check system (SAP_BASIS = 7.51) needs to be set up and configured in the system landscape to check multiple systems on different releases. On this central system you can configure the checked systems and ATC run series, then schedule ATC run series, view results in ATC Result Browser, approve or reject exemptions. But on the central system all these tasks are actually mostly for administrators or quality experts.

So what about developers? As a developer you always work in the local checked system and are used to execute your ATC checks directly during your development process there. Do you need now to work in two systems: e.g. check your code in the central ATC system and correct the findings in your local system? Fortunately the answer is NO. All ATC Remote Code Analysis activities during development occur in your local development system. You can execute ATC Remote Code Analysis checks, view ATC results, check your transports with ATC Remote Code Analysis before release, correct findings and request exemptions directly in your local system. This functionality for developers is available with SAP NetWeaver AS ABAP 7.51 SP01.

For you as developer the ATC Remote Code Analysis is only the infrastructure under the hood, which you don’t necessarily need to deal with. You work with ATC as usual in your local system using the advantages of the Remote Code Analysis.

Prerequisites for local developer scenario

1. ATC in a central check system is set up and configured in your landscape as described in the blog Remote Code Analysis in ATC – Technical Setup step by step. Implement in the central check system the SAP Note 2399689 – ATC: Collective corrections for Remote Code Analysis.

2. The checked systems must be based at least on one of the following SAP_BASIS support package levels: 7.51 or higher, 7.50 SP01, 7.40 SP13, 7.31 SP15, 7.02 SP17, 7.01 SP01 (Checks via Code Inspector because ATC is not available in this release), 7.00 SP04 (Checks via Code Inspector because ATC is not available in this release)

3. Implement the following SAP Notes in your local development system:

4. In your local system the ATC central check system must be maintained by your administrator in the Code Inspector (Goto->Management of-> Reference check system):

4. Check variant for the ATC Remote Code Analysis must be set up in the local development system (MY_DEFAULT in this example) as following:

– In the Code Inspector create new variant:

– Select the radio button In Reference Check System and provide the name of the check variant from the ATC central check system, containing the newest checks (SLIN_SEC in this example):

– Save the check variant

The SLIN_SEC check variant, containing the latest security checks must be RFC-enabled, therefore all selected checks must be RFC-enabled as well (green arrow buttons indicate it) and looks in our example as following:

Local developer scenario

Motivation

Imagine a simple scenario. You wrote the ABAP program in your development system and suspect a security violation within SELECT statement. Therefore you are pretty confident, that you will get security errors if you run ATC.

In your local system if you just position the cursor on your program in the Project Explorer in the ABAP Development Tools in Eclipse and execute the check with the ABAP Test Cockpit (context menu Run As -> ABAP Test Cockpit) you will see, that no security violations were detected because your development system does not contain the newest security checks:

Note: if ABAP Test Cockpit or ABAP Development Tools (or both) are not available for your system on the older release (e.g. if your development system is on SAP_BASIS < 7.02), then you would need to work with SAPGUI and use Code Inspector. In this case you just execute the checks with Code Inspector using the check variant containing the latest security checks.

Obviously the newest security checks are missing, therefore you need to use Remote Code Analysis in ATC with the latest security checks. Now choose the check variant from the central ATC check system containing the latest security checks (MY_DEFAULT in this example) in your project properties in the ABAP Development Tools in Eclipse (context menu Properties of your project in the Project Explorer)

 

Note: you can also specify the check variant when executing the ATC from the editor (context menu “Run ABAP Test Cockpit With…”, e.g.:

 

Checking your source code

Run ABAP Test Cockpit for your ABAP program again. The newest security checks will detect the risk of the SQL injection:

From the ATC Problems View you can easy navigate to the erroneous source code position (double click on the ATC finding) and display the description of the finding via the error marker in the editor (just hover over the error marker):

Single click on the ATC finding will display the documentation, where you can look up how to correct it:

 

Checking transports before release

You can also run ATC Remote Code Analysis before transport release. In the Transport Organizer view select your transport request including your ABAP Program with the security risks and run ATC (context menu Run As > ABAP Test Cockpit):

The ATC Problems View will show the same security violation errors for your transport request:

Of course you can also configure your development system to run the ATC with Remote Code Analysis automatically when releasing a transport (this is currently supported only in the SAP GUI-based Transport  Organizer SE09). Ask your system administrator to set this up (following the documentation Setting Up ATC Transport Checking – ABAP Test and Analysis Tools on SAP Help Portal).

Now you can correct the ATC findings or request exemption.

 

Requesting exemptions

To request an exemption position the cursor on the ATC finding and choose Request Exemption from the context menu.

More details on exemptions process in the blog Remote Code Analysis in ATC – Working with  Exemptions.

To report this post you need to login first.

24 Comments

You must be Logged on to comment or reply to a post.

  1. Marcus Richter

    Hello Olga,

    thanks very much for your explanations. I’m very happy that my SAP Basis was very agile and provided to me a 7.51 System to setup the central ATC check in my whole SAP environment. Unfortunately a few systems (and especially my major system) does have a lower release then 740 SP13 -> they are on SP8. Is there any possibility by downgrading per SAP Note to provide the option for developers to start the ATC checks by the local system?

    We have implemented a process to check the source code in case of release the task in the development systems. Unfortunately i can’t setup yet my CI Variants as remote check for my main system, so the acceptance for the whole process will decrease again.

    Would be very happy to get some feedback from your side if there is some solution in the pipeline or you have other customers with similar problems.

    Especially only my major ERP Sytsem is on that low release i would accept also to implement a lot of SAP Notes manually, because most other systems have the correct support package already or it’s planned to upgrade very soon.

    BR Marcus

     

    (0) 
    1. Olga Dolinskaja Post author

       

      Hi Marcus,

      thank you for the nice feedback. The downport of the 7.40 SP13 functionality for the local developer scenario to the lower SPs is unfortunately not possible. Currently our development evaluates the ways to offer a possibility of the developer scenario in lower SPs of the 7.40. Let’s stay in touch. I will inform you as soon as we have more clarity on this.

      Best regards, Olga.

       

      (1) 
      1. Marcus Richter

        Hello Olga,

        would be great if such a possibility would exist, because the next planned upgrade for the mentioned system is more then 1 year in the future.

        So if you have such notes / downports I offer myself also as pilot or test candidate.

        Feel free to contact me also directly.

        BR Marcus

        (0) 
        1. Olga Dolinskaja Post author

          Hi Mohinder,

          if you use the local developer scenario with remote ATC, then you are locally in your development system and can change the code directly there. Otherwise if you run remote ATC on the central system, you get the ATC result list there and if you double click an ATC fnding from this list, you will be navigated directly to this finding in the corresponding local system and can correct it there.

          Regards,

          Olga.

          (0) 
      2. Raoul Shiro

        Thank you very much for the blog Olga,

         

        Eye opening and instructive.

        Unfortunatly our ECC6 Landscape is also based on 740 SP11 –> No ATC For developers for us … it is a shame that we could benefit from this major pre-check feature.

        I assume that many others customers would be in similar situation.

        Thanks and Regards

        Raoul

        (0) 
  2. Chin Thang Kuan

    Dear Olga,

    Good morning, would like get your expertise, my checked system (satellite system) only SAP_BASIS 701 with Level 006 which means we are using Code Inspector check as local check.

    We set up a ATC central system which has SAP_BASIS 751.

    We are trying to perform remote ATC check from satellite system, base on your guidance, we need to set up the RFC destination : (Goto->Management of-> Reference check system), but I notice this option [ Reference check system ] was disable.

    Kindly assists me that I was missing which authorization role ?

    Many thanks.

    Best Regards,

    Kuan.

     

     

    (0) 
    1. Michael Schneider

      Hi Kuan,

      I guess you applied the manual correction instruction of SAP Note 2381403 to create the menu entry.

      Could you check whether the menu entry was set to active as described in the manual correction instruction?

        “… 10. Make sure that this new function is active (see function “Function Code Active <-> Inactive” in the toolbar). …”

      Michael

      (0) 
  3. Chin Thang Kuan

    Dear Michael,

    Good morning, yes..yes..yes…

    I didn’t click on this [ Function Code Active ]. I ONLY clicked on normal [Activate ] button.

    Many thanks for you guidance.

    Best Regards,

    Kuan.

    (0) 
  4. Paul Siebert

    Hello,

    we have installed 7.51 SP3 to use as a central ATC system.

    We have implemented a check variant (CHECK_VAR_SATELITE with reference to check variant CHECK_VAR_ATC_CENTRAL. Extended syntax is to be executed) like described in tutorial.
    The checked source code is locaded only on the satelite system. I executed the ATC on central system for the satelite and created a baseline. It worked so far.

    But there some problems with “ATC for Developers”.

    I can call CHECK_VAR_SATELITE in code inspector on a satelite system. But if i execute this check variant in ABAP Workbench with ATC, i get the error “No checks are availiable for the object type”.
    If the CHECK_VAR_SATELITE is executed in Eclipse, it works. But the text of messages is missing (text is “unknown”) and baseline is ignored.

    Satelite system has 7.50 SP7.

    Best Regards,
    BR Paul

    (0) 
    1. Michael Schneider

      Hi Paul,

      I guess you have already applied SAP Note 2375864 – as mentioned by Olga – in in your local development system.

      If the note is applied in your system, I think we have to check your systems in more detail. Would you open an incident for this issue, please?

      Thanks,
      Michael

       

      (0) 
  5. Uwe Fetzer

    Hello Olga. Hello Thomas F.,

    we finally also managed to setup our central ATC test scenario (after applying myriads of SAP notes…):

    • NW 7.51 SP02 as central ATC system
    • NW 7.40 SP15 as (first) satellite DEV system

    Is it true, that all checks have to be RFC enabled? What about the check for naming conventions? Currently they are not enabled and thus not used for the remote check.

    Without check for naming conventions the central ATC is kind of useless for us. Am I missing something? Or is an RFC enabled check planned for the future?

    (0) 
    1. Thomas Fiedler

      Hi Uwe,

      we are working on enabling the naming convention check also for remote checks.

      I will send you the note when we are finished.

       

      Only when all checks within a variant are remote enabled the variant can be used for remote scans.

      So for the time being you have to remove the naming convention check from your variant until we have the note in place.

      Regards,

      Thomas.

       

      (0) 
  6. Uwe Fetzer

    Next question for Thomas Fiedler :

    is it intended, that the ATC check is hidden in the central system?

    Central system:

    Local DEV system:

    In GUI mode the ATC check is still available and working in the central system:

    (0) 
  7. Thomas Fiedler

    Hi Uwe,

    yes, this is the intended behavior. We assume that developers are executing the checks from their dev system via ADT. In your 7.40 system you should see the context menu item.

    Regards,

    Thomas.

    (0) 
    1. Uwe Fetzer

      Just because this is a central system doesn’t mean, that there is no development happening. In our case this is currently true, but I’m not sure whether this is true in the future.

      (and to test new code inspector checks I WILL use the central system, so the future is near…)

      (0) 
      1. Thomas Fiedler

        Hi Uwe,

        we are currently working on a mode that the central system can be used for local scans as well.

        This will solve your issue.

        By the way: any plan to update your central system to 7.52 which is available since Monday. Benefit: you can scan modifications and enhancements in your 7.40 system with that approach.

        Regards,

        Thomas.

         

         

         

        (0) 
        1. Uwe Fetzer

          Are you kidding me? 😉

          It’s now three month ago that I told you, that I want to create such scenario. It really took that long (with all the administrative tasks and SAP notes). I think the basis team would kill me if I want to update the new system again.

          (and yes, I’ll install the 7.52 at home later, my own license expires end of the year)

          (1) 

Leave a Reply