Technical Articles
Integration between “SAP Code Vulnerability Analyzer” and “SAP Fortify by Micro Focus”
THE INTEGRATION BETWEEN SAP CODE VULNERABILITY ANALYZER AND SAP FORTIFY BY MICRO FOCUS IS NO LONGER SUPPORTED. THIS IS DUE TO A LACK OF INTEREST FROM CUSTOMERS IN THE PILOT VERSION.
***
Although cyber attacks have become increasingly dangerous for companies of all sizes, a lot of businesses are not properly protected against security threats. As far as the security of applications is concerned, the aim should be to eliminate vulnerabilities before software is deployed. To achieve this security assurance needs to become an essential part of the software application lifecycle.
“SAP Code Vulnerability Analyzer”, CVA for short, is a product that carries out static analysis of ABAP source code and reports possible security risks. CVA is integrated in the ABAP Test Cockpit (ATC), the central infrastructure for functional, performance and security code checks.
SAP Fortify by Micro Focus is a software security suite that can be used to scan non-ABAP coding. This means that it complements CVA which focuses on scanning ABAP coding.
Most customers’ solutions comprise both ABAP and non-ABAP applications and displaying the results in two different environments can be a challenge. Therefore, they would ideally like to display findings in a single environment. With the release of the integration between CVA and Fortify, customers can analyze all the findings in Fortify Software Security Center. It pinpoints the root cause of vulnerabilities with line of code details and remediation guidance and it allows you to prioritize all application vulnerabilities by severity and importance, all in the same framework.
The integration between ATC and Fortify is partly implemented in Java and partly in ABAP. The Java part is represented by an Eclipse plug-in containing a parser for the ATC results data. The ATC backend contains some software written in ABAP to extract and send ATC results to the Fortify server.
Prerequisites:
- The minimum release of SAP NetWeaver is 7.52 SP01. Please read the SAP note 2548653 for details.
- SAP’s ATC parser plugin. The plugin is installed in Fortify SSC (minimum Fortify SSC release: 17.20). The CVA Fortify SSC plug-in is available for download in SAP’s Software Center: https://launchpad.support.sap.com/#/softwarecenter
- An external HTTP destination entry for Fortify SSC application in SM59 (type G)
- The destination to the Fortify SSC system (as configured in SM59) should be registered as a “Replication Target” in the ATC system.
Fig 1 Selecting results for upload
Fig 2 Viewing details of ATC findings in Fortify
Licensing and pricing
The CVA metric is based on the number of users, that is, anyone generating a CVA run or making use of the results of a CVA run. It is sold in blocks on 5 users and their is a ceiling at 100 users. The material code is 7016581.
The Fortify metric is installation based. It depends on the number of applications where the customer wants to run static or dynamic security tests. Each application that provides part of the functionality of the application and can be deployed separately, needs to be counted as an installation. The material code is 7018919.
Documentation and video
Here is a link to the documentation on this topic:
https://help.sap.com/viewer/DRAFT/ba879a6e2ea04d9bb94c7ccd7cdac446/7.52.1/en-US/c33d5f3cf4f94ff285d6c5078fb913a0.html
Here is a link to a video on this topic:
https://youtu.be/ttkUsDJeKbs
Contact: Peter Barker
Would like to understand if the below products are the same or there is distinction between both?
"SAP Code Vulnerability Analyer" & "SAP NetWeaver Application server, add-on for code vulnerability analysis"
"SAP Code Vulnerability Analyzer" is the new name. It is simpler than the old name which was misleading because CVA is NOT an add-on. It is part-and-parcel of NetWeaver which is one of its main advantages.
Hi Peter,
I have a query with respect to SAP CVA license, for suppose if a customer has a license to run for one block, then how many runs he can execute
/Deva
Hi Deva,
Once you have a CVA license you can do as many runs as you like.
Best regards
Peter
It is possible to use this Fortify to analyse SAP BTP MTAR file ?
Hello Silas,
Background: SAP no longer supports the integration between CVA and Fortify.
Technically, all sorts of things are possible but we don't support everything 🙂
Best regards
Peter
I have a query with respect to the number of users.
I activated this on sandbox .. we have a single block license, which implies 5 Users are allowed to use this.
Now my worry is how do I restrict a developer from using it. It is obiously integrated in SLIN Extended Program Check. The checkbox is apparently visible to all and can be selected by anyone executing SLIN in the course of their normal development.
How do I ensure that no one other than me selects CVA Checks while executing SLIN ? A BADI perhaps to restrict it to certain users ?
Hello Shadab,
Here is an FAQ that I have found:
Q: Can a company prevent certain developers from using CVA to reduce the number of users and reduce licensing costs?
A: We are not aware of any official way of doing this and it would be a false economy because all developers should check their code using CVA.
What they can do: Create a check variant in Code Inspector without CVA. This is what most of their users work with (probably the DEFAULT variant). Create a special check variant in Code Inspector with CVA which only, say, five special users may use. This is of course not a technically bullet-proof solution. And one wonders what the five special users will do with the results. As soon as they communicate the results to other users then those other users automatically become CVA users as well.
Best regards
Peter