CVA – Project experience and Learnings

The purpose of this blog

Recently, I got opportunity to activate and implement CVA using a central check system NW 7.51. Through this blog, I want to discuss and share my experiences – challenges and learning, in connecting CVA to other Dev system.

Background about Code Vulnerability Analyzer

Recent virus attack “WannaCry” showed us how vulnerable our IT systems are, how easy it is to hack into the system and extract data and how easily it spreads if system is not robust enough. Security is of utmost importance to everyone and specially, if it comes to data and content, then we want to be extra cautious.

Product “SAP NetWeaver Application Server add-on for code vulnerability analysis” helps to identify potential security weaknesses and is available to carry out enhanced and in-depth security checks. CVA can be activated easily and integrated seamlessly with Quality Audit processes.

You will find many references and blogs on how to activate and make best use of CVA. Few helpful references are illustrated at the end of this blog for more information on CVA.

Benefits of CVA –

1. Scan efficiently

• Reduced false-positive rate by dataflow analysis
• Scanning directly from within the ABAP development environment
• Broad range of predefined checks

2. Developer guidance

• Detailed help and explanations to all errors
• Assistance to find the right location for the fix
• Approval workflows for false positives included
• Prioritization of checks

3. Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC)

CVA Activation

Recently, I got opportunity to work for a customer to activate and implement CVA using a central check system NW 7.51.

With Release SAP_BASIS 7.51, ATC allows you to check your own developments in older releases with the new version of the code vulnerability analysis. In this scenario, the central checking system accesses the development objects to be analyzed using RFC functions.

Below are the systems that customer had in their landscape. All the systems were on or below 7.40 SP level, hence, it was ideal case to be integrated with central hub system SAP_BASIS 7.51. This would do away with the immediate requirement to upgrade each system to a compatible version/ patch level.

SAP_BASIS          SAP_ABA

Main development ECC 6.0                  731 SP 5               731 SP5

Project Portfolio Management               731 SP 6              731 SP6

Fiori                                                       751 SP 1              751 SP1

Human Resources HR                          740 SP15             740 SP15

CRM                                                      700 SP16             700 SP16

Governance Risk and Compliance       702 SP09             702 SP02

BW on Hana                                         740 SP11             740 SP11

BI                                                          740 SP13             740 SP13

Different OSS notes, depending upon system version, were applied to install RFC functions, enable ATC stubs and create necessary authorizations for ATC Stubs. OSS notes are illustrated in below references.

CVA Learnings and Best Practices

System readiness check should be performed before CVA activation. The issues below may cause system dumps during CVA execution –

• ASSERTION_FAILED error – Incorrect and duplicate entries may occur in TADIR table due to previous system upgrade. Cleaning up this table after each upgrade and/or migration would help avoid CVA execution failure. When these were found, SAP Development Support provided remediation program that helped to overcome the issue.
• Some custom programs were found non-Unicode compliant –if any custom programs were skipped for unicode compliance during previous upgrades, then these programs may block CVA execution and cause errors and system dumps.
• Custom programs had syntax errors – Code with syntax errors may give misleading errors during CVA checks.

Limitations –

• ATC results and functionalities are available in Central system only. Developer needs to login and execute program checks in central system.
• Currently, 7.31 SP05 is available for remote checks from the 7.51 SP01 system. Only for the scenario where a developer wants to trigger the remote scan from the 7.31 system, SP15 level is required.

Future Releases –

• To address above limitations, SAP plans to build a report (tentatively will be available by June 2017), which will trigger remote scan in the central system via RFC and the result list is displayed in the satellite systems. Logon to the central system is not necessary by the developer because this is done by the RFC. When the developer clicks on an finding, the editor opens and the developer can analyze the finding.

References –

• https://help.sap.com/saphelp_nw75/helpdata/en/e7/5d0aa74857455e82746ed198fc494a/frameset.htm
• https://help.sap.com/saphelp_nw75/helpdata/en/e6/f9668fa26e4680955165acb2b0fb40/content.htm
• https://wiki.scn.sap.com/wiki/display/ABAP/SAP+NetWeaver+Application+Server,+add-on+for+code+vulnerability+analysis
• SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis: Overview Presentation

https://www.sap.com/documents/2015/07/2a9e0b90-5b7c-0010-82c7-eda71af511fa.html

• ABAP code security : What to do in 2016 ?

https://blogs.sap.com/2016/01/14/2016-recommendations-for-abap-code-security-what-to-do/