Technical Articles
Remote Code Analysis in ATC for Developers
This is the fifth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).
See also blogs:
But what about developers?
For the Remote Code Analysis a central ATC check system (SAP_BASIS >=7.51) needs to be set up and configured in the system landscape to check multiple systems on different releases. On this central system you can configure the checked systems and ATC run series, then schedule ATC run series, view results in ATC Result Browser, approve or reject exemptions. But on the central system all these tasks are actually mostly for administrators or quality experts.
So what about developers? As a developer you always work in the local checked system and are used to execute your ATC checks directly during your development process there. Do you need now to work in two systems: e.g. check your code in the central ATC system and correct the findings in your local system? Fortunately the answer is NO. All ATC Remote Code Analysis activities during development occur in your local development system. You can execute ATC Remote Code Analysis checks, view ATC results, check your transports with ATC Remote Code Analysis before release, correct findings and request exemptions directly in your local system. This functionality for developers is available with SAP NetWeaver AS ABAP 7.51 SP01.
For you as developer the ATC Remote Code Analysis is only the infrastructure under the hood, which you don’t necessarily need to deal with. You work with ATC as usual in your local system using the advantages of the Remote Code Analysis.
Prerequisites for local developer scenario
1. ATC in a central check system is set up and configured in your landscape as described in the blog Remote Code Analysis in ATC – Technical Setup step by step.
2. The checked systems must be based at least on one of the following SAP_BASIS support package levels or higher: 7.51, 7.50 SP01, 7.40 SP13, 7.31 SP15, 7.02 SP17, 7.01 SP01 (Checks via Code Inspector because ATC is not available in this release), 7.00 SP04 (Checks via Code Inspector because ATC is not available in this release).
Make sure, that the remote functionality for developers of the collective SAP Note 2364916 is implemented in all your checked systems.
3. Implement the following SAP Notes in your local development system:
- SAP_BASIS 7.02 to 7.50: SAP Note 2375864 – ATC: Remote checks – developer scenario
- SAP_BASIS 7.00 to 7.01: SAP Note 2381403 – Infrastructure for remote checks
4. In your local system the ATC central check system must be maintained by your administrator in the Code Inspector (Goto->Management of-> Reference check system):
5. Check variant for the ATC Remote Code Analysis must be set up in the local development system (MY_DEFAULT in this example) as following:
– In the Code Inspector create new variant:
– Select the radio button In Reference Check System and provide the name of the check variant from the ATC central check system, containing the newest checks (SLIN_SEC in this example):
– Save the check variant
The SLIN_SEC check variant, containing the latest security checks must be RFC-enabled, therefore all selected checks must be RFC-enabled as well (green arrow buttons indicate it) and looks in our example as following:
6. Configure your development system to run the ATC with Remote Code Analysis automatically when releasing a transport (this is currently supported only in the SAP GUI-based Transport Organizer SE09). Ask your system administrator to set this up (following the documentation Setting Up ATC Transport Checking – ABAP Test and Analysis Tools on SAP Help Portal).
Local developer scenario
Motivation
Imagine a simple scenario. You wrote the ABAP program in your development system and suspect a security violation within SELECT statement. Therefore you are pretty confident, that you will get security errors if you run ATC.
In your local system if you just position the cursor on your program in the Project Explorer in the ABAP Development Tools in Eclipse and execute the check with the ABAP Test Cockpit (context menu Run As -> ABAP Test Cockpit) you will see, that no security violations were detected because your development system does not contain the newest security checks:
Note: if ABAP Test Cockpit or ABAP Development Tools (or both) are not available for your system on the older release (e.g. if your development system is on SAP_BASIS < 7.02), then you would need to work with SAPGUI and use Code Inspector. In this case you just execute the checks with Code Inspector using the check variant containing the latest security checks.
Obviously the newest security checks are missing, therefore you need to use Remote Code Analysis in ATC with the latest security checks. Now choose the check variant from the central ATC check system containing the latest security checks (MY_DEFAULT in this example) in your project properties in the ABAP Development Tools in Eclipse (context menu Properties of your project in the Project Explorer)
Note: you can also specify the check variant when executing the ATC from the editor (context menu “Run ABAP Test Cockpit With…”, e.g.:
Checking your source code
Run ABAP Test Cockpit for your ABAP program again. The newest security checks will detect the risk of the SQL injection:
From the ATC Problems View you can easy navigate to the erroneous source code position (double click on the ATC finding) and display the description of the finding via the error marker in the editor (just hover over the error marker):
Single click on the ATC finding will display the documentation, where you can look up how to correct it:
Checking transports before release
You can also run ATC Remote Code Analysis before transport release. In the Transport Organizer view select your transport request including your ABAP Program with the security risks and run ATC (context menu Run As > ABAP Test Cockpit):
The ATC Problems View will show the same security violation errors for your transport request:
Now you can correct the ATC findings or request exemption.
Requesting exemptions
To request an exemption position the cursor on the ATC finding and choose Request Exemption from the context menu.
More details on exemptions process in the blog Remote Code Analysis in ATC – Working with Exemptions.
Hello Olga,
thanks very much for your explanations. I'm very happy that my SAP Basis was very agile and provided to me a 7.51 System to setup the central ATC check in my whole SAP environment. Unfortunately a few systems (and especially my major system) does have a lower release then 740 SP13 -> they are on SP8. Is there any possibility by downgrading per SAP Note to provide the option for developers to start the ATC checks by the local system?
We have implemented a process to check the source code in case of release the task in the development systems. Unfortunately i can't setup yet my CI Variants as remote check for my main system, so the acceptance for the whole process will decrease again.
Would be very happy to get some feedback from your side if there is some solution in the pipeline or you have other customers with similar problems.
Especially only my major ERP Sytsem is on that low release i would accept also to implement a lot of SAP Notes manually, because most other systems have the correct support package already or it's planned to upgrade very soon.
BR Marcus
Hi Marcus,
thank you for the nice feedback. The downport of the 7.40 SP13 functionality for the local developer scenario to the lower SPs is unfortunately not possible. Currently our development evaluates the ways to offer a possibility of the developer scenario in lower SPs of the 7.40. Let's stay in touch. I will inform you as soon as we have more clarity on this.
Best regards, Olga.
Hello Olga,
would be great if such a possibility would exist, because the next planned upgrade for the mentioned system is more then 1 year in the future.
So if you have such notes / downports I offer myself also as pilot or test candidate.
Feel free to contact me also directly.
BR Marcus
Hi Olga,
Thanks for wonderful share.Is there a way to remediate code remotely, once an error is detected in remote ATC test?
Regards
Hi Mohinder,
if you use the local developer scenario with remote ATC, then you are locally in your development system and can change the code directly there. Otherwise if you run remote ATC on the central system, you get the ATC result list there and if you double click an ATC fnding from this list, you will be navigated directly to this finding in the corresponding local system and can correct it there.
Regards,
Olga.
Thank you very much for the blog Olga,
Eye opening and instructive.
Unfortunatly our ECC6 Landscape is also based on 740 SP11 –> No ATC For developers for us … it is a shame that we could benefit from this major pre-check feature.
I assume that many others customers would be in similar situation.
Thanks and Regards
Raoul
This Note is currently not available: SAP Note 2381403 – Infrastructure for remote checks. Why? Will it be revised? And if so, must it be reimplemented?
Regards, Stefan
I do see it now (Version 9 from 31.05.2017)
I have triggered this via a customer call 🙂
Dear Olga,
Good morning, would like get your expertise, my checked system (satellite system) only SAP_BASIS 701 with Level 006 which means we are using Code Inspector check as local check.
We set up a ATC central system which has SAP_BASIS 751.
We are trying to perform remote ATC check from satellite system, base on your guidance, we need to set up the RFC destination : (Goto->Management of-> Reference check system), but I notice this option [ Reference check system ] was disable.
Kindly assists me that I was missing which authorization role ?
Many thanks.
Best Regards,
Kuan.
Hi Kuan,
I guess you applied the manual correction instruction of SAP Note 2381403 to create the menu entry.
Could you check whether the menu entry was set to active as described in the manual correction instruction?
"... 10. Make sure that this new function is active (see function "Function Code Active <-> Inactive" in the toolbar). ..."
Michael
Dear Michael,
Good morning, yes..yes..yes...
I didn't click on this [ Function Code Active ]. I ONLY clicked on normal [Activate ] button.
Many thanks for you guidance.
Best Regards,
Kuan.
Hello,
we have installed 7.51 SP3 to use as a central ATC system.
We have implemented a check variant (CHECK_VAR_SATELITE with reference to check variant CHECK_VAR_ATC_CENTRAL. Extended syntax is to be executed) like described in tutorial.
The checked source code is locaded only on the satelite system. I executed the ATC on central system for the satelite and created a baseline. It worked so far.
But there some problems with "ATC for Developers".
I can call CHECK_VAR_SATELITE in code inspector on a satelite system. But if i execute this check variant in ABAP Workbench with ATC, i get the error "No checks are availiable for the object type".
If the CHECK_VAR_SATELITE is executed in Eclipse, it works. But the text of messages is missing (text is "unknown") and baseline is ignored.
Satelite system has 7.50 SP7.
Best Regards,
BR Paul
Hi Paul,
I guess you have already applied SAP Note 2375864 - as mentioned by Olga - in in your local development system.
If the note is applied in your system, I think we have to check your systems in more detail. Would you open an incident for this issue, please?
Thanks,
Michael
Hello Olga. Hello Thomas F.,
we finally also managed to setup our central ATC test scenario (after applying myriads of SAP notes...):
Is it true, that all checks have to be RFC enabled? What about the check for naming conventions? Currently they are not enabled and thus not used for the remote check.
Without check for naming conventions the central ATC is kind of useless for us. Am I missing something? Or is an RFC enabled check planned for the future?
Hi Uwe,
the naming convention checks are now supported in remote ATC.
Please install SAP note https://launchpad.support.sap.com/#/notes/2423013
in the central system
Regards,
Thomas.
Good to hear, thank you!
(it seams, that the not enabled check are just not started in the test, all other are ok. No need to remove them)
Next question for Thomas Fiedler :
is it intended, that the ATC check is hidden in the central system?
Central system:
Local DEV system:
In GUI mode the ATC check is still available and working in the central system:
Hi Uwe,
yes, this is the intended behavior. We assume that developers are executing the checks from their dev system via ADT. In your 7.40 system you should see the context menu item.
Regards,
Thomas.
Just because this is a central system doesn't mean, that there is no development happening. In our case this is currently true, but I'm not sure whether this is true in the future.
(and to test new code inspector checks I WILL use the central system, so the future is near...)
Hi Uwe,
we are currently working on a mode that the central system can be used for local scans as well.
This will solve your issue.
By the way: any plan to update your central system to 7.52 which is available since Monday. Benefit: you can scan modifications and enhancements in your 7.40 system with that approach.
Regards,
Thomas.
Are you kidding me? 😉
It's now three month ago that I told you, that I want to create such scenario. It really took that long (with all the administrative tasks and SAP notes). I think the basis team would kill me if I want to update the new system again.
(and yes, I'll install the 7.52 at home later, my own license expires end of the year)
Hello Thomas,
by the way, when I read all these Blogs, Questions, FAQs, Problems.....
I asked myself, wouldn't it not more efficient to get professional help from a Technical Consultant who has a deep knowlegde about the whole Topic ?
All this Comments in the different Blogs, make me feel that there is a lot of "Trial and Error" when installing the complete process. Other companies need weeks and months to establish the Process.
Can you tell me, who is able to make this technical consulting. Do you have Names of Consultans from SAP directly or Partners ?
Best regards
Mario
Very good comment, I'm also tired to operate our ATC, CCLM, CharM Infastructure...and you comment it is the same I thniking about 😉
Might be we can switch for this themes to a running well third party product 😉
If I want to RFC-enable own checks (the abapOpenChecks ), is there a How-To somewhere?
Solved: abapOpenChecks issue 422
(but would be great if one of the ADT team would have a look at it)
Hi Olga,
thanks a lot for your instructions! We have configured the ATC as a central system for quality assurance. So far so good. Some tests are running ...
One problem is that not all SCI checks can be run in remote systems, only those that are RFC-based. Some basic performance checks and especially code metrics are not RFC enabled. Which requirements must a test fulfill to be RFC-enabled? Is there a solution? Thank you very much.
Carsten
Hi Carsten,
our ATC development colleagues have been working eagerly on RFC enabling of more and more checks. It depends on the release of your ATC system: in 7.52 there are more RFC-enabled ATC checks as in 7.51. Further checks will follow.
Best regards,
Olga.
Hi Olga
We are experiencing performance issues in using a central variant. When I run the same inspection as I would run locally, the speed decreases by a factor of 5 and the volume of data transferred by a factor of 3. The variants used are similar.
Have you experienced any issues here? Is there a way to parallel process from the satellite system back into the central system perhaps?
Regards
Ian
Hi Ian,
no, we haven't experienced such issues so far. Please open a ticket to SAP in order to get your situation analyzed.
Regards,
Olga.
Hi Olga
Ok. Thanks. Will do.
Regards
Ian
Hello Olga,
First of all, thanks for this series of ATC blogs.
I have a question. If I have understood good, We have 2 scenes splits. i mean, In one hand we have New ATC Hub system ( central system --> checked system) and in the other hand we have traditional ATC with master and dev system.
In scene 1, we have created inspection but we can NOT replicate results to the dev system so, if developers want to fix them, They should connect first to ATC HUB system and navigate with correction provider rfc to fix the error.
2 Developers fix errors in Eclipse but it is not replicate to ATC HUB system,
So for now, which are the best practices?
Developrs fix errors in local and we create periodical inspection in new ATC hub system to update findings¿?
Thanks and regards.
Gerardo.
Hi Gerardo,
the replication of the ATC Active Result to development systems is currently missing in the ATC remote scenario and is being developed with urgent priority. For the time being developers can logon to the central ATC Hub to see there the results of the central ATC run.
Best Regards,
Olga.
Hello Olga,
we now have Set up our Sandbox System (S10) with a Central Remote Master System (P35).
RFC Connections are established. A new Check Variant on the Master System was created with only "Naming Conventions". The desired Check Variant on the Sandbox System with pointing to the Check variant on the Master System was also established.
Then we tried to Check a whole package on the Satellite System which contains a lot of Table Maintenance Dialogs on Z-Tables. Unfortunately we got a lot of Naming Convention Errors out of these Dialogs, which we can't surely correct (because they are generated).
But even when we Start a Run Series on the Satellite System with this Check Variant and didn't mark the checkbox "Analyze Generated Maintenance Dialoges" we got Errors out of these Table Maintenance Dialoges.
Where is the Error on our side ?
best regards
Mario
Hi Mario,
it depends on the releases of your central ATC system and checked system (you name it satelite). You can exclude generated code from the ATC check only with central ATC check system on NW 7.52. If e.g. your ATC central check system is 7.52 and the checked system is older, but you use remote developer scenario to check the code in the checked system remotely on ATC 7.52, then you can exclude generated code. If you run ATC locally on the checked system which is < 7.52, then you cannot exclude generated code.
Best Regards,
Olga.
Hi Olga,
Our Central ATC System has NW Release 7.52 SP03. And the Checked System (S10) has NW 7.50 SP13. I know the funcionality of Excluding generated code. But this Option is only available in the Definition of the "Object Set" in SCI. So for Batch Analysis this works fine.
But our question is, what if the do a single Check within for ex. SE38 or SE80 Package Check or more important if a Developer releases as task in the Transport System ?
Exactly here wee need the Functionality to exclude generated Code, but I don't find an option to do this. Our Check at Task release is done with the Developer Scenario on the Remote System.
But the findings we got ,are all from generated Table Maintenance Dialoges
So what is missing ? As I interpret you answer correctly, this normally should no occur
Best regards
Mario
Hi Mario,
are you sure, that you check your code during transport release in the checked development system using the remote check variant from the ATC central check system? For developer scenario you need to use the check variant from the central ATC check system.
Regards,
Olga.
Hi Olga,
Yes we are sure that our settings are correct. Here the Facts.
Table SCICHKV_ALTER in S10 (Checked System)
Check Variant in S10 System
Check Variant in Remote ATC Master System
and this is the Result
All this Errors are out of generate Table Maintenance Dialoges
Or is here anything missing ?
Best regards
Mario
Hi Mario,
I talked to our ATC development. It looks like a special problem in your system which has to deal with name conventions checks and your custom code and needs to be analyzed in detail. Please open a ticket to SAP.
Regards,
Olga.
Hi Olga,
We are in the process of conversion to S/4 HANA 1809 and we set up a new Central Check System running ATC (SAP NW 7.52) which remotely checks our SAP System (SAP NW 7.4 SP12) which is a copy of our production system (Non-development system).
ATC is working but we are unable to run ATC for custom objects in the customer namespace which was set up as Namespace Role “C” or “Receiver” as below:
Also to register the namespace, when executed the program SATC_AC_INIT_NAMESPACE_REG, we got nothing as it was not registered to ATC.
In order to register the customer namespace defined as namespace role “C” what needs to be done?
Should we enter the Repair license key for customer namespace defined as “C” or as per the below link should we change the customer namespace’s role to “P” or “Producer” and enter the new development license key as it is different for each installation number?
https://help.sap.com/saphelp_SNC700_ehp01/helpdata/en/d1/40a689c1ad4a2baa6c12a76abe1226/content.htm?no_cache=true
Please advise.
Thanks,
Burhan
Hi Burhan,
yes, you need to change the role to "P" (Producer), and then use the program SATC_AC_INIT_NAMESPACE_REG. You can register the namespaces with role "C" (Consumer) only starting with the NW 7.40 SP13 (see SAP Note 2215288 for more details).
Regards,
Olga.
Hello Olga,
thanks for the very informative blog posts concerning central ATC. Currently I try various things on our own company systems, but there are some issues:
We have a central ATC system on SAP_BASIS 7.52 / SP03 and a checked system on level SAP_BASIS 7.50 / SP13. I defined an RFC-enabled check variant on the central system to check the 7.50 system, and this works well.
Now I defined a remote check variant on the 7.50 system which internally references the check variant as defined on the central system using a trusted RFC-destination, and during the check on the 7.50 system, we receive errors about missing whitelist entries which have to be maintained in the RFC destination, this because there is a callback requested during ATC check.
We also can see dumps on both systems, and on the side of the checked system, there is information about the callback functions. We maintained until now 4 pairs of these entries, but with each check attempt, other functions are requested again and again to be maintained in the whitelist.
My question: is that correct, or do we miss some settings here - or may you eventually have a complete list of all functions which should be maintained in the whitelist?
Currently we have the following whitelist entries maintained:
(called function // callback function)
SCI_REMOTE_IS_CHECK_SCOPE_ENAB // FUNCTION_EXISTS
SCI_REMOTE_IS_CHECK_SCOPE_ENAB // SLINRMT_RUN
SCI_REMOTE_RUN // RS_ABAP_EXPORT_COMP_PROCS_E
SCI_REMOTE_RUN // SLINRMT_RUN
SCI_REMOTE_RUN_END // SCA_REMOTE_DATA_ACCESS
Thanks in advance and best regards,
Olaf
Hello Olaf,
please verify, that all prerequisites for ATC remote developer scenario are done on your 7.50/SP13 system like implementing the SAP Notes 2364916 and 2375864.
If it is so I recommend to open a ticket to SAP.
Best regards,
Olga.
Hello Olga,
Following the answer you indicated to Olaf, our execution of the job in the ATC with the variant S4HANA_READINESS_REMOTE reports us more than 60,000 dumps per day: SAPSQL_PARSE_ERROR CX_SY_DINAMIC_OSQL_SYNTAX:
I have tried to import SAP Notes 2364916 and 2375864 but they are not implementable in my Development System is a NW 7.4 SPS18 and my Central System is a NW 7.52 SPS2. While answering Tim, I have also tried to implement SAP Note 2487726 but it is not implementable either, notes 2624109 and 2707315 if they are implementable but it has nothing to do with my error. Can you help me correct this dump?
Regards.
Jordi.
Hi Jordi,
for such issues please open a ticket to SAP.
Best Regards,
Olga.
Hello,
we are facing still the Problem that SAP Standard Includes will deliver Findings when they are used for. ex. in the "old" Userexit technique, starting all with EXIT_SAPxxxxxxxxx
Surely you have to implement then the given Z...Include Name in a Z-Package, but after that the SAP Standard Includes will also be analyzed by ATC when checking the Z-Package.
As far as I have followed the Discussion about this topic, this should not longer happen.
Best regards
Mario
Hello Mario,
the correction note for this use case: ATC findings in SAP Includes belonging to User Exits is being currently developed. I will let you know the number as soon as it gets released.
Regards,
Olga.
Hello Olga,
I did set up the ATC checks on transport release (check variant: S4HANA_READINESS_1809), which works fine.
Unfortunately it takes several minutes to execute the remote checks (depending on the amount of checked objects) which affects the acceptance for our developers.
If I take a look at SM50 I see at least one process like SAPLSABP_COMP_PROCS_E on the checked system and on the central check system changing processes like CL_CI_TEST* (for example: CL_CI_TEST_ABAP_COMP_PROCS====CP).
Is there a way to speed up the process and how can I find out where the bottleneck is?
Would the performance be better with a central system on 7.53 (currently on 7.52) or does it depend on the checked system?
Best regards
Tim
Hi Tim,
I can recommend the SAP Note 2487726 for S/4HANA checks performance improvements.
Best regards,
Olga.
Hi Olga,
thank you for the feedback, but we have already implemented the note 2487726. (The server is on 7.52 SP2 and the note has been fixed with SP1).
It would be great if you could give further advice?
Best regards
Tim
Hi Tim,
could you please check if the SAP Notes 2624109 and 2707315 are implemented in your system?
Best Regards,
Olga.
Hi Olga,
sorry for my late answer.
The note 2624109 was already implemented, but the other one not. Additionally I implemented several other notes (2724914, etc.) now and I hope that I can observe an improvement.
Best regards
Tim
Hi Olga
I have a program running on the remote systems to check transports for findings that will block the release (as per Baerbel's excellent blog).
Now I would like to replicate the results to the central system so that I can report on the data from one place but when trying the replicate functionality in the Manage Results section of the ATC I get the message below:
RFC: Function module "SCI_REMOTE_GET_TEST_DELEGATE" not found.
I've searched in the support portal for this FM but nothing obvious. Can you steer me to the note that implements this?
Regards
Ian
Hi Ian,
it is currently not yet possible in the remote ATC scenario to replicate the results from the central check system to the connected checked systems. We are working on it with high priority.
Regards,
Olga.
Hi Olga
Thanks for the reply. I am trying to replicate the other way round though i.e. I wish to replicate results from the remote system to the central ATC system. Is this possible? I would like to report on all scans from the central system via CDS views.
Thanks
Ian
Hi Ian,
it is not possible to replicate local ATC runs to the central ATC check system.
Regards,
Olga.
Hi Olga
Ok. Thanks for confirming.
Regards
Ian
Hi Olga
Also, while I think of it, when setting the Default Check Variant in the ATC setup, does this also affect the variant executed when releasing the transport? Or do I separately need to maintain the entry in the SCICHK_ALTER table?
Regards
Ian
Hi Ian,
yes, the default ATC check variant is also used at transport release.
Regards,
Olga.
Hello Olga,
We are trying to set up Remote Code Analysis from satellite system( SAP BASIS 7.31 SP13) to Central check system(SAP BASIS 7.51 SP8).
When we run from satellite system, we get below error :
When we run from central system using object provider, we are getting tool failures. Can you please guide how to proceed here.
Thanks!!
Regards,
Siji Thomas
Hi Thomas,
for such issues please open a ticket to SAP.
Regards,
Olga.
Hi Olga
When changing a function module, the whole function group is then scanned and when changing a method the whole class is scanned. Findings are therefore often reported on areas that a current developer have not touched - even if a baseline is in place.
Is it possible to only scan the immediate object rather than the whole object?
Thanks
Ian
Hi Ian,
unfortunately it is not possible: ATC scans only main objects, not sub-objects or parts.
Bye,
Olga.
Thanks Olga.
I suspected as much but thought I'd check.
Cheers
Ian