Skip to Content

This is the fifth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).

See also blogs:

Remote Code Analysis in ATC – One central check system for multiple systems on various releases
Remote Code Analysis in ATC – Technical Setup step by step
Remote Code Analysis in ATC – Working with Baseline to suppress findings in old legacy code
Remote Code Analysis in ATC – Working with Exemptions
Remote Code Analysis in ATC – FAQ

 

But what about developers?

For the Remote Code Analysis a central ATC check system (SAP_BASIS = 7.51) needs to be set up and configured in the system landscape to check multiple systems on different releases. On this central system you can configure the checked systems and ATC run series, then schedule ATC run series, view results in ATC Result Browser, approve or reject exemptions. But on the central system all these tasks are actually mostly for administrators or quality experts.

So what about developers? As a developer you always work in the local checked system and are used to execute your ATC checks directly during your development process there. Do you need now to work in two systems: e.g. check your code in the central ATC system and correct the findings in your local system? Fortunately the answer is NO. All ATC Remote Code Analysis activities during development occur in your local development system. You can execute ATC Remote Code Analysis checks, view ATC results, check your transports with ATC Remote Code Analysis before release, correct findings and request exemptions directly in your local system. This functionality for developers is available with SAP NetWeaver AS ABAP 7.51 SP01.

For you as developer the ATC Remote Code Analysis is only the infrastructure under the hood, which you don’t necessarily need to deal with. You work with ATC as usual in your local system using the advantages of the Remote Code Analysis.

Prerequisites for local developer scenario

1. ATC in a central check system is set up and configured in your landscape as described in the blog Remote Code Analysis in ATC – Technical Setup step by step. Implement in the central check system the SAP Note 2399689 – ATC: Collective corrections for Remote Code Analysis.

2. The checked systems must be based at least on one of the following SAP_BASIS support package levels: 7.51 or higher, 7.50 SP01, 7.40 SP13, 7.31 SP15, 7.02 SP17, 7.01 SP01 (Checks via Code Inspector because ATC is not available in this release), 7.00 SP04 (Checks via Code Inspector because ATC is not available in this release)

3. Implement the following SAP Notes in your local development system:

4. In your local system the ATC central check system must be maintained by your administrator in the Code Inspector (Goto->Management of-> Reference check system):

4. Check variant for the ATC Remote Code Analysis must be set up in the local development system (MY_DEFAULT in this example) as following:

– In the Code Inspector create new variant:

– Select the radio button In Reference Check System and provide the name of the check variant from the ATC central check system, containing the newest checks (SLIN_SEC in this example):

– Save the check variant

The SLIN_SEC check variant, containing the latest security checks must be RFC-enabled, therefore all selected checks must be RFC-enabled as well (green arrow buttons indicate it) and looks in our example as following:

Local developer scenario

Motivation

Imagine a simple scenario. You wrote the ABAP program in your development system and suspect a security violation within SELECT statement. Therefore you are pretty confident, that you will get security errors if you run ATC.

In your local system if you just position the cursor on your program in the Project Explorer in the ABAP Development Tools in Eclipse and execute the check with the ABAP Test Cockpit (context menu Run As -> ABAP Test Cockpit) you will see, that no security violations were detected because your development system does not contain the newest security checks:

Note: if ABAP Test Cockpit or ABAP Development Tools (or both) are not available for your system on the older release (e.g. if your development system is on SAP_BASIS < 7.02), then you would need to work with SAPGUI and use Code Inspector. In this case you just execute the checks with Code Inspector using the check variant containing the latest security checks.

Obviously the newest security checks are missing, therefore you need to use Remote Code Analysis in ATC with the latest security checks. Now choose the check variant from the central ATC check system containing the latest security checks (MY_DEFAULT in this example) in your project properties in the ABAP Development Tools in Eclipse (context menu Properties of your project in the Project Explorer)

 

Note: you can also specify the check variant when executing the ATC from the editor (context menu “Run ABAP Test Cockpit With…”, e.g.:

 

Checking your source code

Run ABAP Test Cockpit for your ABAP program again. The newest security checks will detect the risk of the SQL injection:

From the ATC Problems View you can easy navigate to the erroneous source code position (double click on the ATC finding) and display the description of the finding via the error marker in the editor (just hover over the error marker):

Single click on the ATC finding will display the documentation, where you can look up how to correct it:

 

Checking transports before release

You can also run ATC Remote Code Analysis before transport release. In the Transport Organizer view select your transport request including your ABAP Program with the security risks and run ATC (context menu Run As > ABAP Test Cockpit):

The ATC Problems View will show the same security violation errors for your transport request:

Of course you can also configure your development system to run the ATC with Remote Code Analysis automatically when releasing a transport (this is currently supported only in the SAP GUI-based Transport  Organizer SE09). Ask your system administrator to set this up (following the documentation Setting Up ATC Transport Checking – ABAP Test and Analysis Tools on SAP Help Portal).

Now you can correct the ATC findings or request exemption.

 

Requesting exemptions

To request an exemption position the cursor on the ATC finding and choose Request Exemption from the context menu.

More details on exemptions process in the blog Remote Code Analysis in ATC – Working with  Exemptions.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Marcus Richter

    Hello Olga,

    thanks very much for your explanations. I’m very happy that my SAP Basis was very agile and provided to me a 7.51 System to setup the central ATC check in my whole SAP environment. Unfortunately a few systems (and especially my major system) does have a lower release then 740 SP13 -> they are on SP8. Is there any possibility by downgrading per SAP Note to provide the option for developers to start the ATC checks by the local system?

    We have implemented a process to check the source code in case of release the task in the development systems. Unfortunately i can’t setup yet my CI Variants as remote check for my main system, so the acceptance for the whole process will decrease again.

    Would be very happy to get some feedback from your side if there is some solution in the pipeline or you have other customers with similar problems.

    Especially only my major ERP Sytsem is on that low release i would accept also to implement a lot of SAP Notes manually, because most other systems have the correct support package already or it’s planned to upgrade very soon.

    BR Marcus

     

    (0) 
    1. Olga Dolinskaja Post author

       

      Hi Marcus,

      thank you for the nice feedback. The downport of the 7.40 SP13 functionality for the local developer scenario to the lower SPs is unfortunately not possible. Currently our development evaluates the ways to offer a possibility of the developer scenario in lower SPs of the 7.40. Let’s stay in touch. I will inform you as soon as we have more clarity on this.

      Best regards, Olga.

       

      (1) 
      1. Marcus Richter

        Hello Olga,

        would be great if such a possibility would exist, because the next planned upgrade for the mentioned system is more then 1 year in the future.

        So if you have such notes / downports I offer myself also as pilot or test candidate.

        Feel free to contact me also directly.

        BR Marcus

        (0) 
        1. Olga Dolinskaja Post author

          Hi Mohinder,

          if you use the local developer scenario with remote ATC, then you are locally in your development system and can change the code directly there. Otherwise if you run remote ATC on the central system, you get the ATC result list there and if you double click an ATC fnding from this list, you will be navigated directly to this finding in the corresponding local system and can correct it there.

          Regards,

          Olga.

          (0) 
      2. Raoul Shiro

        Thank you very much for the blog Olga,

         

        Eye opening and instructive.

        Unfortunatly our ECC6 Landscape is also based on 740 SP11 –> No ATC For developers for us … it is a shame that we could benefit from this major pre-check feature.

        I assume that many others customers would be in similar situation.

        Thanks and Regards

        Raoul

        (0) 
  2. Chin Thang Kuan

    Dear Olga,

    Good morning, would like get your expertise, my checked system (satellite system) only SAP_BASIS 701 with Level 006 which means we are using Code Inspector check as local check.

    We set up a ATC central system which has SAP_BASIS 751.

    We are trying to perform remote ATC check from satellite system, base on your guidance, we need to set up the RFC destination : (Goto->Management of-> Reference check system), but I notice this option [ Reference check system ] was disable.

    Kindly assists me that I was missing which authorization role ?

    Many thanks.

    Best Regards,

    Kuan.

     

     

    (0) 
    1. Michael Schneider

      Hi Kuan,

      I guess you applied the manual correction instruction of SAP Note 2381403 to create the menu entry.

      Could you check whether the menu entry was set to active as described in the manual correction instruction?

        “… 10. Make sure that this new function is active (see function “Function Code Active <-> Inactive” in the toolbar). …”

      Michael

      (0) 
  3. Chin Thang Kuan

    Dear Michael,

    Good morning, yes..yes..yes…

    I didn’t click on this [ Function Code Active ]. I ONLY clicked on normal [Activate ] button.

    Many thanks for you guidance.

    Best Regards,

    Kuan.

    (0) 

Leave a Reply