Skip to Content
Technical Articles

Integration between “SAP Code Vulnerability Analyzer” and “SAP Fortify by Micro Focus”

THIS INTEGRATION SCENARIO IS CURRENTLY (AS OF H1 2020) NOT SUPPORTED!
***
Although cyber attacks have become increasingly dangerous for companies of all sizes, a lot of businesses are not properly protected against security threats. As far as the security of applications is concerned, the aim should be to eliminate vulnerabilities before software is deployed. To achieve this security assurance needs to become an essential part of the software application lifecycle.
“SAP Code Vulnerability Analyzer”, CVA for short, is a product that carries out static analysis of ABAP source code and reports possible security risks. CVA is integrated in the ABAP Test Cockpit (ATC), the central infrastructure for functional, performance and security code checks.
SAP Fortify by Micro Focus is a software security suite that can be used to scan non-ABAP coding. This means that it complements CVA which focuses on scanning ABAP coding.
Most customers’ solutions comprise both ABAP and non-ABAP applications and displaying the results in two different environments can be a challenge. Therefore, they would ideally like to display findings in a single environment. With the release of the integration between CVA and Fortify, customers can analyze all the findings in Fortify Software Security Center. It pinpoints the root cause of vulnerabilities with line of code details and remediation guidance and it allows you to prioritize all application vulnerabilities by severity and importance, all in the same framework.
The integration between ATC and Fortify is partly implemented in Java and partly in ABAP. The Java part is represented by an Eclipse plug-in containing a parser for the ATC results data. The ATC backend contains some software written in ABAP to extract and send ATC results to the Fortify server.

Prerequisites:

  • The minimum release of SAP NetWeaver is 7.52 SP01. Please read the SAP note 2548653 for details.
  • SAP’s ATC parser plugin. The plugin is installed in Fortify SSC (minimum Fortify SSC release: 17.20). The CVA Fortify SSC plug-in is available for download in SAP’s Software Center: https://launchpad.support.sap.com/#/softwarecenter
  • An external HTTP destination entry for Fortify SSC application in SM59 (type G)
  • The destination to the Fortify SSC system (as configured in SM59) should be registered as a “Replication Target” in the ATC system.

 

Fig 1 Selecting results for upload

Fig 2 Viewing details of ATC findings in Fortify

Licensing and pricing

The CVA metric is based on the number of users, that is, anyone generating a CVA run or making use of the results of a CVA run. It is sold in blocks on 5 users and their is a ceiling at 100 users. The material code is 7016581.

The Fortify metric is installation based. It depends on the number of applications where the customer wants to run static or dynamic security tests. Each application that provides part of the functionality of the application and can be deployed separately, needs to be counted as an installation. The material code is 7018919.

Documentation and video

Here is a link to the documentation on this topic:
https://help.sap.com/viewer/DRAFT/ba879a6e2ea04d9bb94c7ccd7cdac446/7.52.1/en-US/c33d5f3cf4f94ff285d6c5078fb913a0.html

Here is a link to a video on this topic:
https://youtu.be/ttkUsDJeKbs

Contact: Peter Barker

4 Comments
You must be Logged on to comment or reply to a post.
  • Would like to understand if the below products are the same or there is distinction between both?

     

    SAP Code Vulnerability Analyer”  &  “SAP NetWeaver Application server, add-on for code vulnerability analysis

  • “SAP Code Vulnerability Analyzer” is the new name. It is simpler than the old name which was misleading because CVA is NOT an add-on. It is part-and-parcel of NetWeaver which is one of its main advantages.

  • Hi Peter,

    I have a query with respect to SAP CVA license, for suppose if a customer has a license to run for one block, then how many runs he can execute

     

    /Deva