This is the fifth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).
See also blogs:
But what about developers?
For the Remote Code Analysis a central ATC check system (SAP_BASIS >=7.51) needs to be set up and configured in the system landscape to check multiple systems on different releases. On this central system you can configure the checked systems and ATC run series, then schedule ATC run series, view results in ATC Result Browser, approve or reject exemptions. But on the central system all these tasks are actually mostly for administrators or quality experts.
So what about developers? As a developer you always work in the local checked system and are used to execute your ATC checks directly during your development process there. Do you need now to work in two systems: e.g. check your code in the central ATC system and correct the findings in your local system? Fortunately the answer is NO. All ATC Remote Code Analysis activities during development occur in your local development system. You can execute ATC Remote Code Analysis checks, view ATC results, check your transports with ATC Remote Code Analysis before release, correct findings and request exemptions directly in your local system. This functionality for developers is available with SAP NetWeaver AS ABAP 7.51 SP01.
For you as developer the ATC Remote Code Analysis is only the infrastructure under the hood, which you don’t necessarily need to deal with. You work with ATC as usual in your local system using the advantages of the Remote Code Analysis.
Prerequisites for local developer scenario
1. ATC in a central check system is set up and configured in your landscape as described in the blog Remote Code Analysis in ATC – Technical Setup step by step. Implement in the central check system the SAP Note 2399689 – ATC: Collective corrections for Remote Code Analysis.
2. The checked systems must be based at least on one of the following SAP_BASIS support package levels: 7.51 or higher, 7.50 SP01, 7.40 SP13, 7.31 SP15, 7.02 SP17, 7.01 SP01 (Checks via Code Inspector because ATC is not available in this release), 7.00 SP04 (Checks via Code Inspector because ATC is not available in this release)
3. Implement the following SAP Notes in your local development system:
- SAP_BASIS 7.02 bis 7.50: SAP Note 2375864 – ATC: Remote checks – developer scenario
- SAP_BASIS 7.00 bis 7.01: SAP Note 2381403 – Infrastructure for remote checks
4. In your local system the ATC central check system must be maintained by your administrator in the Code Inspector (Goto->Management of-> Reference check system):
4. Check variant for the ATC Remote Code Analysis must be set up in the local development system (MY_DEFAULT in this example) as following:
– In the Code Inspector create new variant:
– Select the radio button In Reference Check System and provide the name of the check variant from the ATC central check system, containing the newest checks (SLIN_SEC in this example):
– Save the check variant
The SLIN_SEC check variant, containing the latest security checks must be RFC-enabled, therefore all selected checks must be RFC-enabled as well (green arrow buttons indicate it) and looks in our example as following:
Local developer scenario
Imagine a simple scenario. You wrote the ABAP program in your development system and suspect a security violation within SELECT statement. Therefore you are pretty confident, that you will get security errors if you run ATC.
In your local system if you just position the cursor on your program in the Project Explorer in the ABAP Development Tools in Eclipse and execute the check with the ABAP Test Cockpit (context menu Run As -> ABAP Test Cockpit) you will see, that no security violations were detected because your development system does not contain the newest security checks:
Note: if ABAP Test Cockpit or ABAP Development Tools (or both) are not available for your system on the older release (e.g. if your development system is on SAP_BASIS < 7.02), then you would need to work with SAPGUI and use Code Inspector. In this case you just execute the checks with Code Inspector using the check variant containing the latest security checks.
Obviously the newest security checks are missing, therefore you need to use Remote Code Analysis in ATC with the latest security checks. Now choose the check variant from the central ATC check system containing the latest security checks (MY_DEFAULT in this example) in your project properties in the ABAP Development Tools in Eclipse (context menu Properties of your project in the Project Explorer)
Note: you can also specify the check variant when executing the ATC from the editor (context menu “Run ABAP Test Cockpit With…”, e.g.:
Checking your source code
Run ABAP Test Cockpit for your ABAP program again. The newest security checks will detect the risk of the SQL injection:
From the ATC Problems View you can easy navigate to the erroneous source code position (double click on the ATC finding) and display the description of the finding via the error marker in the editor (just hover over the error marker):
Single click on the ATC finding will display the documentation, where you can look up how to correct it:
Checking transports before release
You can also run ATC Remote Code Analysis before transport release. In the Transport Organizer view select your transport request including your ABAP Program with the security risks and run ATC (context menu Run As > ABAP Test Cockpit):
The ATC Problems View will show the same security violation errors for your transport request:
Of course you can also configure your development system to run the ATC with Remote Code Analysis automatically when releasing a transport (this is currently supported only in the SAP GUI-based Transport Organizer SE09). Ask your system administrator to set this up (following the documentation Setting Up ATC Transport Checking – ABAP Test and Analysis Tools on SAP Help Portal).
Now you can correct the ATC findings or request exemption.
To request an exemption position the cursor on the ATC finding and choose Request Exemption from the context menu.
More details on exemptions process in the blog Remote Code Analysis in ATC – Working with Exemptions.