SAP Code Vulnerability Analyzer (CVA) – FAQs

This document supplies answers to frequently asked questions about SAP Code Vulnerability Analyzer (CVA).

Introduction

SAP Code Vulnerability Analyzer (CVA) is based on the infrastructure of ABAP Test Cockpit (ATC). ATC provides a general check infrastructure including standard checks for functional correctness and performance. CVA delivers additional security checks.
The following blogs provide valuable background information about ATC and are worth reading before or in parallel with this FAQ about CVA:

Here is a blog about ATC.

For more information about Remote Code Analysis in ATC please take a look at Remote Code Analysis in ATC – One central check system for multiple systems on various releases.

Take a look at this FAQ blog about ATC.

Security strategy and positioning of CVA

Q: What does “shift testing to the left” mean?

A: Test earlier. The earlier you identify and resolve security vulnerabilities the more damage you avoid and the cheaper it is in the long run. Resolving vulnerabilities after deployment, for example after a penetration test or a cyber attack is far more expensive.

Q: Developers test software so why don’t they also test for security?

A: Because they don’t have a tool.

Q: How can we compare static and dynamic security testing?

A: We recommend customers do both static and dynamic security testing. There might be situations in which some security vulnerabilities in Web-based applications can only be identified when the application is running. As this is late in the development lifecycle, we recommend you start early with static security testing to identify and fix most of the security vulnerabilities and to keep the list of findings once the application is fully running to a minimum. The later we find security vulnerabilities the more expensive it is to fix them. Therefore, static and dynamic security testing is the best combination -static to keep costs down and dynamic to make security testing complete.

Q: How are static and dynamic testing connected?

A: A static vulnerability might also crop up as a dynamic vulnerability. It may well be that it looks worse as a dynamic vulnerability than it did as a static one. The combination of static and dynamic = defense in depth.

Q: What is SAP’s official recommendation for scanning ABAP custom code?

A: SAP Code Vulnerability Analyzer. The material code for the Suite and S/4 is 7019502.

Q: There are partner products and other 3rd party products that also scan ABAP custom code. Why choose CVA?

A: CVA is the recommended product for scanning ABAP custom code for several reasons:

CVA is an ABAP product and is part of ABAP Test Cockpit which is part of NetWeaver. It is not an add-on; it is written in ABAP and is deeply integrated in the SAP landscape unlike alternative products.

SAP uses CVA to scan its own ABAP code.

ABAP is an SAP language and the ABAP language developers work alongside the CVA developers.

To update CVA all you have to do is install the latest SP on your central system (see below for information about a central scanning system). You don’t have to engage in long-winded and error-prone update procedures as with alternative products.

Q: When was CVA first released as a product?

A: CVA has been around since 2014.

Q: How many checks are there?

A: Around 70, but the number of checks is not significant. The important thing is to have the right checks.

Q: How often does SAP check its coding?

A: Once a week, both old and new coding, including when we transport coding.

Q: Is there any 3rd party software in CVA?

A: No, there is no 3rd party software in CVA.

Q: Can customers scan SAP coding with CVA or just their own custom code?

A: Customers can scan their own code and 3rd party add-ons but not SAP code. This is restricted via namespaces.

Q: What is the relationship between CVA and ATC?

A: ATC provides a technical check infrastructure and functional and performance checks. CVA provides security checks based on ATC.

Q: What is the difference between CVA checks and Code Inspector checks?

A: The security checks that Code Inspector offers are very superficial. CVA carries out a dataflow analysis which reduces the number of false positives.

Q: What does CVA offer over and above the Code Inspector (CI) checks?

A: CVA differs from CI in the following respects:

CVA focuses specifically on identifying and managing security vulnerabilities.

CVA provides CVA-specific support in case of problems.

CI constitutes a general code scanning tool.

CI allows developer to suppress issues in the code without applying for an exemption.

CI allows developer to create additional custom checks.

CI Does not provide vulnerability-specific support.

Q: Is the transition to S/4 a problem for CVA?

A: No, because CVA scans static code. It does not analyze business processes.

Q: How do you start a CVA scan in SAP Cloud Platform ABAP Environment (Steampunk)?

A: Find your Steampunk system in Eclipse and execute a scan using the packages of the application. Use the variant SAP_CLOUD_PLATFORM_DEFAULT.

What can be scanned

Q: What types of objects are checked?

A: Programs, function groups, class pools, BSPs, Adobe Forms, Smart Forms.

Q: How many levels deep does CVA scan code?

A: The dataflow analysis scans through all call levels within a compilation unit (program, global class, function group). In some checks we don’t have to analyze a data flow but do other searches in several call levels. Most of these checks follow the call graph across the boundaries of compilation units. It scans the specified entity. For example, if you scan a report but this report is called by a function module then CVA will not scan the function module.

Q: Why are there BSP checks?

A: ABAP coding can be embedded in BSP pages. The ABAP code is then part of the generated ABAP coding. The BSP checks check this generated ABAP code. There are also a couple of checks that check BSP attributes.

Q: Do we have any limitations in BW Systems? Is there anything we should take in account?

A: No.

Q: Can we scan generated code, for example, code that Web Dynpro generates?

A: Yes, there is a checkbox to specify this.

Q: Does CVA scan SAPscript?

A: No.

Q: Does CVA scan Smart Forms and Adobe Forms?

A: Yes. Smart Forms are scanned as of SAP_BASIS 7.52 SP 01 or 7.53 SP 0 (note 2534180). SAP Interactive Forms by Adobe are scanned as of NW 7.52 SP 03 or 7.53 SP 0 (note 2629856).

Q: Can CVA scan modifications?

A: Yes, CVA can scan modifications (from NetWeaver 7.52 onwards), enhancements, user exits and generated code that contains custom code.

Q: Are custom BSP pages and event handlers scanned?

A: Yes, this is available with NW 7.50.

Q: How are customer enhancements dealt with?

A: Customer enhancements are located in a customer package (or in a customer namespace). This means that findings in enhancements (or findings through which the data flows) are also reported to the customer.

Q: Can we scan foreign namespaces (fremde Namensräume)?

A: Yes, but not SAP coding (apart from modifications, enhancements and user exits).

Q: Can CVA test hidden code?

A: Hidden code is code in the database which the compiler can execute but which CVA cannot access. The ability to hide code in the database was available in old releases but has now been removed via a security note on all relevant Suite releases.

Q: Can we scan 3rd party coding that is in a different namespace?

A: Yes.

Q: Can we analyze partner code?

A: Yes.

Q: Can I select which checks are executed?

A: You can change the priorities of individual checks and thus suppress findings.

Q: What is BRF+ and can CVA scan it?

A: BRF+ allows customers to develop their own rules. These extensions are developed in normal classes in the customer name space. That means that CVA can scan these classes.

Licensing

Q: How does licensing work?

A: This is user-based licensing. It is capped at 100 users, so a customer only pays for the first 100 users. A user is anyone who either triggers a CVA run or who uses the results of a CVA run. So, an employee who receives a list of security vulnerabilities from a CVA run is also a user.

Scenario: I scan my ABAP coding using CVA, so I am a CVA user. I paste the check results into a Word document or into an Excel and send it to my quality manager who reviews the check results. He is now also a CVA user. He forwards it to another developer to resolve the vulnerabilities listed in the check results. That developer is now also a CVA user.

Q: How does the customer know that he has a license?

A: They can ask the account executive.

Q: If a customer employs freelancers on a project basis does the customer have to license each and every freelancer or can the customer just license the maximum number of freelancers working at the company at any one time?

A: To be fair the customer just licenses generically so that the maximum number of freelancers working at the company at any one time has to be licensed.

Q: Do customers also need an SAP user as well as a CVA license?

A: Yes.

Q: If a customer uses a central system on HEC can they also use it for the Business Suite?

A: Yes, because it is user-based licensing.

Q: Can a customer activate CVA even if they don’t have a license?

A: Technically yes, but a warning popup is displayed.

Q: Can a company prevent certain developers from using CVA to reduce the number of users and reduce licensing costs?

A: This would be a false economy because all developers should check their code using CVA.

Q: Is it possible to arrange a POC (proof-of-concept) so that we can persuade management to buy a CVA license?

A: Yes, a POC can be arranged with a consultant who will use CVA can scan a part of your ABAP custom code. This will give you an impression of the sorts of vulnerabilities lurking in the rest of your system. If you are interested in a POC please contact your account executive.

Q: If a customer has a CVA license for ERP can they use it for S/4?

A: No, they need a new license. Please contact your account executive to discuss the pricing details.

Q: With CVA on BTP is a customer limited, from a licensing point of view, to scanning a certain number or type of systems?

A: No, CVA on BTP can scan as many systems as the customer likes as long as the resources are sufficient. There are no licensing restrictions regarding the number of systems.

Releases

Q: How often are there releases in the cloud and on-premise?

A: Four times a year in the cloud, once a year on-premise.

Q: New checks are delivered with the latest SP. How often are there new SPs?

A: That depends on the release. On old releases about once a year. On S/4 once a quarter.

Q: How long does it take to create a new check?

A: Weeks or months. Not days, and not years. SAP delivers it with the next SP. However, bugs are fixed using patches.

Q: Is there a notification for the customer when a new check is released?

A: No, but there is a release note listing new checks per release.

Q: Customers do not get NW 7.53 standalone so how do they get the new checks if they are still on NW 7.52?

A: SAP downports new checks to NW 7.52.

Q: Are findings and product release necessarily linked?

A: No, a customer can release a product even if there are unresolved findings.

Setting up and running CVA

Q: How long does it take to install and set up CVA?

A: It depends on the landscape but for someone who knows what they are doing about half a day. You have to connect the local systems and so on.

Q: Which systems do you scan – DEV, QM or PROD?

A: Generally, the development system or the QM system (it combines development objects, and this can lead to new findings.) but rarely the production system.

Q: Can you specify that CVA scans the whole system and if so, how long would this take?

A: Yes. If it is the whole SAP system, it may take a weekend. If it is just a program it may only take a few seconds.

Q: If scanning the whole system takes too long is there another approach the customer can adopt?

A: They could go through it package by package.

Q: How can CVA be implemented at a company without being rejected by developers who are busy with other tasks?

A: Implementing CVA at a company can often encounter resistance because resolving security vulnerabilities involves extra work. One should adopt a phased approach so that its introduction is acceptable to developers. Here are some recommendations:

Gradually extend the scope of what is checked.

First, just introduce CVA to a pilot group of developers.

Make use of the baseline function to temporarily suppress less critical messages.

Take account of the different priorities. For example, hide all priority 3 messages which (in the standard) do not prevent a transport. That will allow developers to focus on what really matters.

Q: Which variant do I have to select in ATC in order to trigger a CVA scan? Where is this in ATC?

A: If you select the variant SLIN_SEC then only CVA runs. Or you can create your own variant in Code Inspector and select more than just the CVA checks. If CVA has been activated, then you will find the CVA checks in the category “Security checks”.

Q: What exactly is SLIN_SEC?

A: It is a Code Inspector variant.

Q: How can the number of objects to be checked be restricted?

A: The object quantity (Objektmenge) is defined in Code Inspector.

Q: Can you activate / deactivate individual checks?

A: To a certain extent „yes“. You can turn CVA / BSP checks on and off using a Code Inspector variant. That turns on all the CVA checks. Then you can turn off individual checks by specifying the priority “No Message”. However, this is a very roundabout way of doing things. Please bear in mind that setting priorities is effective for all check variants. So, you can’t activate a check abc in variant V1 and deactivate it in variant V2. At least, you would have to turn it on or off in the relevant variant before each check run which is very impractical.

Q: CVA runs in Eclipse but does a customer have to use Eclipse or can they run CVA in SAP GUI?

A: They can use SAP GUI instead if they prefer.

Q: How can you run checks in the background?

A: Transaction ATC -> (Select a run and schedule it using the button “Schedule”) -> Program -> Execute in background.

Q: What is the difference between the following two options in Eclipse: RMB on program -> Run As -> “ABAP Test Cockpit” and “ABAP Test Cockpit With…”?

A: With „ABAP Test Cockpit“ the check run is executed directly. Those checks are executed that are specified in the check variant with the name DEFAULT.
With „ABAP Test Cockpit With…“ you first have the option of making various settings: Add additional objects to be checked, select a different check variant, …To trigger the check run, press F8

Q: Do we have sizing recommendations for ATC in the cloud?

A: We recommend the minimum sizing for a Steampunk system.

Q: Can CVA, used as a central system on BTP, scan several systems?

A: Technically, CVA on BTP can scan several systems but not at the same time. We do not yet (November 2021) have parallelization.

Dataflow

Q: What is a dataflow analysis?

A: Dataflow analysis involves the way data is transferred and processed within a program. The data is tracked through the coding without executing it.

Q: Dataflow: How many applications does it go through?

A: Only one; it does not cross compilation units. It stays within, say, a function group, for example; it does not jump between classes, programs and function groups.

It can check all the methods of a global class.

If an input parameter is used in a report that calls a function module then any vulnerability is only found in the report if that is what you are scanning. To find any vulnerability in the function module you need to scan the function module.

If a class has an include then that include is also scanned.

Dealing with findings

Q: When a company does a CVA run for the first time how many findings are likely to be generated?

A: Quite possibly thousands.

Q: What options do customers have to visualize the check results?

A: Once the customer has scanned the ABAP coding the check results are displayed in ATC (ABAP Test Cockpit).
The check results can also be extracted to Solution Manager and visualized there with the tools available.
Also, notification e-mails can be requested when scheduling runs in ATC: Schedule Runs -> Mark your run -> Schedule -> See the last box “Notification” -> Mark “Send Notifications to Contacts”.

Q: Does a finding have an identifiable ID?

A: Yes, it consists of a hash value for the code line + 4 statements before and after. The ID remains the same even if the coding is moved.

Q: If a customer requests an exemption for a specific finding for a report, is it a permanent exemption or will CVA flag the same finding whenever the report is updated?

A:The exemption is created for a specific CVA finding. If the source code near the finding (usually 5 statements before and after) is changed then the exemption is no longer valid.

Q: Which vulnerabilities should one start to fix first?

A: Here are a few hints:

Start with hard-coded user names. These are important and easy to fix.

Then go for SQL-injections.

After that fix directory traversals.

Reporting

Q: Can the list of findings be exported into a Word document?

A: Yes.

Q: Can the quality manager only get a list of vulnerabilities in the form of an Excel / Word document?

A: No, the quality manager can see them in the system. Excel / Word is just an additional option.

Solution Manager

Q: Why shouldn’t CVA and Solution Manager run on the same system?

A: Because of the minimum ABAP release. CVA on a central system requires at least NW 7.51. Solution Manager 7.2 SP06 runs on NW 7.40 and no higher.

Q: Frequently used coding is more critical than coding that is rarely used. How can you tell how often coding is used?

A: You can see this in Solution Manager.

Q: Can you resolve the security vulnerabilities from within ChaRM?

A: No.

Q: Can you create exemptions from within ChaRM?

A: No.

Q: Can ChaRM be used to release transports?

A: Yes, you release the task (Aufgabe) or transport in ChaRM. You can also specify that transports only take place if the CVA vulnerabilities have been fixed independently of ChaRM.

Q: Do customers have to resolve vulnerabilities in coding if the coding is never used?

A: Customers can use Solution Manager to identify coding that is never used. They can then just deactivate the coding instead of resolving the vulnerabilities.