Skip to Content
Product Information
Author's profile photo Peter Barker

SAP Code Vulnerability Analyzer (CVA) – FAQs

This document supplies answers to frequently asked questions about SAP Code Vulnerability Analyzer (CVA).

Introduction

SAP Code Vulnerability Analyzer (CVA) is based on the infrastructure of ABAP Test Cockpit (ATC). ATC provides a general check infrastructure including standard checks for functional correctness and performance. CVA delivers additional security checks.
The following blogs provide valuable background information about ATC and are worth reading before or in parallel with this FAQ about CVA:

Here is a blog about ATC.

For more information about Remote Code Analysis in ATC please take a look at Remote Code Analysis in ATC – One central check system for multiple systems on various releases.

Take a look at this FAQ blog about ATC.

Security strategy and positioning of CVA

Q: What does “shift testing to the left” mean?

A: Test earlier. The earlier you identify and resolve security vulnerabilities the more damage you avoid and the cheaper it is in the long run. Resolving vulnerabilities after deployment, for example after a penetration test or a cyber attack is far more expensive.

Q: Developers test software so why don’t they also test for security?

A: Because they don’t have a tool.

Q: How can we compare static and dynamic security testing?

A: We recommend customers do both static and dynamic security testing. There might be situations in which some security vulnerabilities in Web-based applications can only be identified when the application is running. As this is late in the development lifecycle, we recommend you start early with static security testing to identify and fix most of the security vulnerabilities and to keep the list of findings once the application is fully running to a minimum. The later we find security vulnerabilities the more expensive it is to fix them. Therefore, static and dynamic security testing is the best combination -static to keep costs down and dynamic to make security testing complete.

Q: How are static and dynamic testing connected?

A: A static vulnerability might also crop up as a dynamic vulnerability. It may well be that it looks worse as a dynamic vulnerability than it did as a static one. The combination of static and dynamic = defense in depth.

Q: What is SAP’s official recommendation for scanning ABAP custom code?

A: SAP Code Vulnerability Analyzer. The material code for the Suite and S/4 is 7019502.

Q: There are partner products and other 3rd party products that also scan ABAP custom code. Why choose CVA?

A: CVA is the recommended product for scanning ABAP custom code for several reasons:

  • CVA is an ABAP product and is part of ABAP Test Cockpit which is part of NetWeaver. It is not an add-on; it is written in ABAP and is deeply integrated in the SAP landscape unlike alternative products.
  • SAP uses CVA to scan its own ABAP code.
  • ABAP is an SAP language and the ABAP language developers work alongside the CVA developers.
  • To update CVA all you have to do is install the latest SP on your central system (see below for information about a central scanning system). You don’t have to engage in long-winded and error-prone update procedures as with alternative products.

  • Q: When was CVA first released as a product?

    A: CVA has been around since 2014.

    Q: How many checks are there?

    A: Around 70, but the number of checks is not significant. The important thing is to have the right checks.

    Q: How often does SAP check its coding?

    A: Once a week, both old and new coding, including when we transport coding.

    Q: Is there any 3rd party software in CVA?

    A: No, there is no 3rd party software in CVA.

    Q: Can customers scan SAP coding with CVA or just their own custom code?

    A: Customers can scan their own code and 3rd party add-ons but not SAP code. This is restricted via namespaces.

    Q: What is the relationship between CVA and ATC?

    A: ATC provides a technical check infrastructure and functional and performance checks. CVA provides security checks based on ATC.

    Q: What is the difference between CVA checks and Code Inspector checks?

    A: The security checks that Code Inspector offers are very superficial. CVA carries out a dataflow analysis which reduces the number of false positives.

    Q: What does CVA offer over and above the Code Inspector (CI) checks?

    A: CVA differs from CI in the following respects:

  • CVA focuses specifically on identifying and managing security vulnerabilities.
  • CVA provides CVA-specific support in case of problems.
  • CI constitutes a general code scanning tool.
  • CI allows developer to suppress issues in the code without applying for an exemption.
  • CI allows developer to create additional custom checks.
  • CI Does not provide vulnerability-specific support.

  • Q: Is the transition to S/4 a problem for CVA?

    A: No, because CVA scans static code. It does not analyze business processes.

    Q: How do you start a CVA scan in SAP Cloud Platform ABAP Environment (Steampunk)?

    A: Find your Steampunk system in Eclipse and execute a scan using the packages of the application. Use the variant SAP_CLOUD_PLATFORM_DEFAULT.

    What can be scanned

    Q: What types of objects are checked?

    A: Programs, function groups, class pools, BSPs, Adobe Forms, Smart Forms.

    Q: How many levels deep does CVA scan code?

    A: The dataflow analysis scans through all call levels within a compilation unit (program, global class, function group). In some checks we don’t have to analyze a data flow but do other searches in several call levels. Most of these checks follow the call graph across the boundaries of compilation units. It scans the specified entity. For example, if you scan a report but this report is called by a function module then CVA will not scan the function module.

    Q: Why are there BSP checks?

    A: ABAP coding can be embedded in BSP pages. The ABAP code is then part of the generated ABAP coding. The BSP checks check this generated ABAP code. There are also a couple of checks that check BSP attributes.

    Q: Do we have any limitations in BW Systems? Is there anything we should take in account?

    A: No.

    Q: Can we scan generated code, for example, code that Web Dynpro generates?

    A: Yes, there is a checkbox to specify this.

    Q: Does CVA scan SAPscript?

    A: No.

    Q: Does CVA scan Smart Forms and Adobe Forms?

    A: Yes. Smart Forms are scanned as of SAP_BASIS 7.52 SP 01 or 7.53 SP 0 (note 2534180). SAP Interactive Forms by Adobe are scanned as of NW 7.52 SP 03 or 7.53 SP 0 (note 2629856).

    Q: Can CVA scan modifications?

    A: Yes, CVA can scan modifications (from NetWeaver 7.52 onwards), enhancements, user exits and generated code that contains custom code.

    Q: Are custom BSP pages and event handlers scanned?

    A: Yes, this is available with NW 7.50.

    Q: How are customer enhancements dealt with?

    A: Customer enhancements are located in a customer package (or in a customer namespace). This means that findings in enhancements (or findings through which the data flows) are also reported to the customer.

    Q: Can we scan foreign namespaces (fremde Namensräume)?

    A: Yes, but not SAP coding (apart from modifications, enhancements and user exits).

    Q: Can CVA test hidden code?

    A: Hidden code is code in the database which the compiler can execute but which CVA cannot access. The ability to hide code in the database was available in old releases but has now been removed via a security note on all relevant Suite releases.

    Q: Can we scan 3rd party coding that is in a different namespace?

    A: Yes.

    Q: Can we analyze partner code?

    A: Yes.

    Q: Can I select which checks are executed?

    A: You can change the priorities of individual checks and thus suppress findings.

    Licensing

    Q: How does licensing work?

    A: This is user-based licensing. It is capped at 100 users, so a customer only pays for the first 100 users. A user is anyone who either triggers a CVA run or who uses the results of a CVA run. So, an employee who receives a list of security vulnerabilities from a CVA run is also a user.

    Scenario: I scan my ABAP coding using CVA, so I am a CVA user. I paste the check results into a Word document or into an Excel and send it to my quality manager who reviews the check results. He is now also a CVA user. He forwards it to another developer to resolve the vulnerabilities listed in the check results. That developer is now also a CVA user.

    Q: How does the customer know that he has a license?

    A: They can ask the account executive.

    Q: If a customer employs freelancers on a project basis does the customer have to license each and every freelancer or can the customer just license the maximum number of freelancers working at the company at any one time?

    A: To be fair the customer just licenses generically so that the maximum number of freelancers working at the company at any one time has to be licensed.

    Q: Do customers also need an SAP user as well as a CVA license?

    A: Yes.

    Q: If a customer uses a central system on HEC can they also use it for the Business Suite?

    A: Yes, because it is user-based licensing.

    Q: Can a customer activate CVA even if they don’t have a license?

    A: Technically yes, but a warning popup is displayed.

    Q: Can a company prevent certain developers from using CVA to reduce the number of users and reduce licensing costs?

    A: This would be a false economy because all developers should check their code using CVA.

    Q: Is it possible to arrange a POC (proof-of-concept) so that we can persuade management to buy a CVA license?

    A: Yes, a POC can be arranged with a consultant who will use CVA can scan a part of your ABAP custom code. This will give you an impression of the sorts of vulnerabilities lurking in the rest of your system. If you are interested in a POC please contact your account executive.

    Releases

    Q: How often are there releases in the cloud and on-premise?

    A: Four times a year in the cloud, once a year on-premise.

    Q: New checks are delivered with the latest SP. How often are there new SPs?

    A: That depends on the release. On old releases about once a year. On S/4 once a quarter.

    Q: How long does it take to create a new check?

    A: Weeks or months. Not days, and not years. SAP delivers it with the next SP. However, bugs are fixed using patches.

    Q: Is there a notification for the customer when a new check is released?

    A: No, but there is a release note listing new checks per release.

    Q: Customers do not get NW 7.53 standalone so how do they get the new checks if they are still on NW 7.52?

    A: SAP downports new checks to NW 7.52.

    Q: Are findings and product release necessarily linked?

    A: No, a customer can release a product even if there are unresolved findings.

    Setting up and running CVA

    Q: How long does it take to install and set up CVA?

    A: It depends on the landscape but for someone who knows what they are doing about half a day. You have to connect the local systems and so on.

    Q: Which systems do you scan – DEV, QM or PROD?

    A: Generally, the development system or the QM system (it combines development objects, and this can lead to new findings.) but rarely the production system.

    Q: Can you specify that CVA scans the whole system and if so, how long would this take?

    A: Yes. If it is the whole SAP system, it may take a weekend. If it is just a program it may only take a few seconds.

    Q: If scanning the whole system takes too long is there another approach the customer can adopt?

    A: They could go through it package by package.

    Q: How can CVA be implemented at a company without being rejected by developers who are busy with other tasks?

    A: Implementing CVA at a company can often encounter resistance because resolving security vulnerabilities involves extra work. One should adopt a phased approach so that its introduction is acceptable to developers. Here are some recommendations:

  • Gradually extend the scope of what is checked.
  • First, just introduce CVA to a pilot group of developers.
  • Make use of the baseline function to temporarily suppress less critical messages.
  • Take account of the different priorities. For example, hide all priority 3 messages which (in the standard) do not prevent a transport. That will allow developers to focus on what really matters.
  • Q: Which variant do I have to select in ATC in order to trigger a CVA scan? Where is this in ATC?

    A: If you select the variant SLIN_SEC then only CVA runs. Or you can create your own variant in Code Inspector and select more than just the CVA checks. If CVA has been activated, then you will find the CVA checks in the category “Security checks”.

    Q: What exactly is SLIN_SEC?

    A: It is a Code Inspector variant.

    Q: How can the number of objects to be checked be restricted?

    A: The object quantity (Objektmenge) is defined in Code Inspector.

    Q: Can you activate / deactivate individual checks?

    A: To a certain extent „yes“. You can turn CVA / BSP checks on and off using a Code Inspector variant. That turns on all the CVA checks. Then you can turn off individual checks by specifying the priority “No Message”. However, this is a very roundabout way of doing things. Please bear in mind that setting priorities is effective for all check variants. So, you can’t activate a check abc in variant V1 and deactivate it in variant V2. At least, you would have to turn it on or off in the relevant variant before each check run which is very impractical.

    Q: CVA runs in Eclipse but does a customer have to use Eclipse or can they run CVA in SAP GUI?

    A: They can use SAP GUI instead if they prefer.

    Q: How can you run checks in the background?

    A: Transaction ATC -> (Select a run and schedule it using the button “Schedule”) -> Program -> Execute in background.

    Q: What is the difference between the following two options in Eclipse: RMB on program -> Run As -> “ABAP Test Cockpit” and “ABAP Test Cockpit With…”?

    A: With „ABAP Test Cockpit“ the check run is executed directly. Those checks are executed that are specified in the check variant with the name DEFAULT.
    With „ABAP Test Cockpit With…“ you first have the option of making various settings: Add additional objects to be checked, select a different check variant, …To trigger the check run, press F8

    Dataflow

    Q: What is a dataflow analysis?

    A: Dataflow analysis involves the way data is transferred and processed within a program. The data is tracked through the coding without executing it.

    Q: Dataflow: How many applications does it go through?

    A: Only one; it does not cross compilation units. It stays within, say, a function group, for example; it does not jump between classes, programs and function groups.

  • It can check all the methods of a global class.
  • If an input parameter is used in a report that calls a function module then any vulnerability is only found in the report if that is what you are scanning. To find any vulnerability in the function module you need to scan the function module.
  • If a class has an include then that include is also scanned.
  • Dealing with findings

    Q: When a company does a CVA run for the first time how many findings are likely to be generated?

    A: Quite possibly thousands.

    Q: What options do customers have to visualize the check results?

    A: Once the customer has scanned the ABAP coding the check results are displayed in ATC (ABAP Test Cockpit).
    The check results can also be extracted to Solution Manager and visualized there with the tools available.
    Also, notification e-mails can be requested when scheduling runs in ATC: Schedule Runs -> Mark your run -> Schedule -> See the last box “Notification” -> Mark “Send Notifications to Contacts”.

    Q: Does a finding have an identifiable ID?

    A: Yes, it consists of a hash value for the code line + 4 statements before and after. The ID remains the same even if the coding is moved.

    Q: Which vulnerabilities should one start to fix first?

    A: Here are a few hints:

  • Start with hard-coded user names. These are important and easy to fix.
  • Then go for SQL-injections.
  • After that fix directory traversals.
  • Reporting

    Q: Can the list of findings be exported into a Word document?

    A: Yes.

    Q: Can the quality manager only get a list of vulnerabilities in the form of an Excel / Word document?

    A: No, the quality manager can see them in the system. Excel / Word is just an additional option.

    Solution Manager

    Q: Why shouldn’t CVA and Solution Manager run on the same system?

    A: Because of the minimum ABAP release. CVA on a central system requires at least NW 7.51. Solution Manager 7.2 SP06 runs on NW 7.40 and no higher.

    Q: Frequently used coding is more critical than coding that is rarely used. How can you tell how often coding is used?

    A: You can see this in Solution Manager.

    Q: Can you resolve the security vulnerabilities from within ChaRM?

    A: No.

    Q: Can you create exemptions from within ChaRM?

    A: No.

    Q: Can ChaRM be used to release transports?

    A: Yes, you release the task (Aufgabe) or transport in ChaRM. You can also specify that transports only take place if the CVA vulnerabilities have been fixed independently of ChaRM.

    Q: Do customers have to resolve vulnerabilities in coding if the coding is never used?

    A: Customers can use Solution Manager to identify coding that is never used. They can then just deactivate the coding instead of resolving the vulnerabilities.

    Assigned tags

        17 Comments
        You must be Logged on to comment or reply to a post.
        Author's profile photo Alejandro Sensejl
        Alejandro Sensejl

        At customers, I often find requirements to comply with Virtual Forge Code Profiler Tool. Actually I did never face CVA at customers. Even when telling we scan our (add-on) code with CVA instead of Coder Profiler, it was not accepeted as customers do not even know what CVA is.

        Why do you think CVA is not commonly known and used at all SAP customers, and why does Code Profiler outshine CVA?
        Two points comes in my mind:

        • CVA is not free for all SAP customers. Maybe it should, especially as ABAP is SAP SEs own proprietary programming language / platform and custom code is probably also a big risk when interfacing with core applications.
        • CVA lacks very much functionality in ERP as there are no backports to older releases, which are still very common at customers.

         

         

         

        Author's profile photo Peter Barker
        Peter Barker
        Blog Post Author

        Thank you very much for your impressions and your questions:
        We have hundreds of CVA customers but you are right – there is a huge potential demand for an official SAP code-scanning tool such as CVA and cyber-security is becoming increasingly important. One reason I wrote this blog is to increase awareness of CVA and its significance.
        Code Profiler may be more familiar to some customers because it was introduced into the market some years earlier than CVA but we are convinced that CVA is an excellent solution in terms of its functionality and ability to protect customers’ ABAP custom code.

        There is no need to backport CVA to older releases because CVA should be installed on a central system with an up-to-date release of NetWeaver and the latest SP. This ensures that the latest checks are available to local systems on earlier versions of NetWeaver. They just have to be connected to the central system via RFC. In this way older releases are checked remotely.

         

        Author's profile photo Alejandro Sensejl
        Alejandro Sensejl

        We are using our S4 Sandbox as ATC hub, so this is no problem for us. But no customer understands why an additional NetWeaver system is required - on management level this is hardly explainable.

        - Can you provide some insights on the reason for no-ERP-downport-decision? I expect the efforts at SAP for downport to be MUCH lower than the global overall effort at all customers/partners to implement the required landscape.

        - Are there any further plans to raise awareness for CVA at C-level management? (What is the roadmap to have every customer and partner use CVA? 😉 )

        - Some changes on pricings would be much appriciated (see comment from Michael Biber). This would also help us as SAP partner a lot.

        Author's profile photo Peter Barker
        Peter Barker
        Blog Post Author

        Hi Alejandro,

        Thank you for your additional feedback.

        To take your third point first: Yes, you are right. SAP must continue to raise awareness for CVA at C-level management as well as at other levels. This FAQ is a small contribution to the task of rolling out CVA.

        You second point addresses a key topic: Clearly, an additional NetWeaver system involves extra expense. That is a fair point. However, after speaking to literally hundreds of customers, the need for an extra system has never been a showstopper.

        The advantage of a central system is that you only have to upgrade one system in order to consume the new checks as opposed to upgrading the whole of your landscape.
        You also only have to configure the checks on one central system.

        Please read the blog https://blogs.sap.com/2016/12/12/remote-code-analysis-in-atc-one-central-check-system-for-multiple-systems-on-various-releases/ , espectially the section "Advantages“.

         

         

         

        Author's profile photo Girwar Meena
        Girwar Meena

        Tools like Code profiler may continue to be a choice unless SAP change the license model.  Doesn’t make sense in big organization with 100+ developers, cost goes above a million. Other third party tool are cheaper and they also provide ATC capabilities. 

        Hope SAP make CVA cheaper and also consider to improve it by making it more dynamic.

        Keeping ATC without CVA is no sense and CVA with over a million dollar, tough to justify ..

        Author's profile photo Peter Barker
        Peter Barker
        Blog Post Author

        Hi Girwar,

        I take your point about pricing and it is often pointed out that the list price seems very high. That is a fair point.

        However, the final discounted price has to be negotiated with the account executive so although
        a 3rd party product may be significantly cheaper in terms of its official list price or in the context of a specific customer deal this varies from deal to deal.

        Best regards

        Peter

        Author's profile photo Mikhail Yakovlev
        Mikhail Yakovlev

        "CVA lacks very much functionality in ERP as there are no backports to older releases, which are still very common at customers."

        Could you please explain what is the advantage of Code Profiler in this case? It is also a separate Server with connections to all ABAP-systems. In CVA-case you can have it as a Hub to test old releases (SAP_BASIS 700), or you can use CVA directly in your S/4 system. I think both ways have  advantages and drawbacks.

        Author's profile photo Michael Biber
        Michael Biber

        We already use codeProfiler and are introducing ATC right now. We also had a look at CVA. Short Story: we decided against it.

        Why?

        • It has more or less the same functionality Security wise as the Code Profiler
        • Code Profiler does not have to be run additionally but can be integrated into ATC runs (as CVA does) 
        • CVA costs about 10 times as much as Code Profiler for our 60-70 Developers
        • Code Profiler has an excellent documentation at finding level

        So it would have been totally nice to have a solution out of one hand but even if we could get rid of a small Java Server running the Code Profiler backend this is not hing compared to the CVA costs (which come with additional 20% maintenence fee every year).

        So I totally agree with Alejandro: include it in the ERP license or at least lower the costs significantly and you will get a lot more customers.

        Author's profile photo Peter Barker
        Peter Barker
        Blog Post Author

        Hello Michael,

        Thank you for your feedback.

        I take your point about pricing and it is often pointed out that the list price seems very high. That is a fair point.

        However, the final discounted price has to be negotiated with the account executive so although
        a 3rd party product may be significantly cheaper in terms of its official list price or in the context of a specific customer deal this varies from deal to deal.

        As far as the documentation is concerned, CVA also provides detailed documentation on the individual checks and this is displayed in Eclipse and SAP GUI along with the findings generated by a CVA scan.

        Author's profile photo Michael Biber
        Michael Biber

        Hello Peter,

        To the pricing: We calculated the price after our usual discount (our Person responsible for live sing was part of the decision Team). Even with a very unusual discount of 99% CVA is still way more expensive.

        To the new system: it would have been a problem for us, as we would have needed S/4HANA licenses which we currently don't have. Plus the System Landscape has to be patched regulary as a NetWeaver needs way more protection than a simple Linux Server running a Java application.

        As I said we would have done all this but not with the CVA pricing currently.

        Author's profile photo Thomas Fiedler
        Thomas Fiedler

        Hi Michael,

        I'm absolutely with you concerning the pricing. Feedback taken and Peter will take this to our Sales guys.

        In future we further invest in our a cloud-based ATC solution where the ATC runs in the SAP Cloud Platform. Maybe this is an option for you in future as well?

        See more about it in Olga's Blog Post: https://blogs.sap.com/2020/08/14/abap-test-cockpit-in-the-cloud-what-is-already-possible/

        Regards,

        Thomas.

        Author's profile photo Michael Biber
        Michael Biber

        Hi Thomas,

        we will have look to that. Thanks for the tip. I somehow missed that Blog post. If the usage is legit for BaFin etc. is also to be clarified. But we will try.

        Best regards

        Michael

        Author's profile photo Girwar Meena
        Girwar Meena

        I agree, even with 85% discount price goes too high to justify..

        Author's profile photo Girwar Meena
        Girwar Meena

        License model should be be flexible. I am sure SAP want to support customers to keep their system secure. Current license model price goes too high compare to other available tools in market. I actually planned and recommended CVA tool to my organization but we have to look for other solution. Cost is not justifiable, our company has 100+ developers and definitely each developer needs license so they develop secure code and do not release it to next system without proper security check.
        I was expecting this tool as integrated tool with ATC. ATC doesn’t make sense if CVA is expensive. Third party tool will do the work of ATC as well. No organization want to invest and maintain similar tools. Please suggest and share the recommendations to make CVA and ATC a tool of choice.

        Author's profile photo Peter Barker
        Peter Barker
        Blog Post Author

        Hi Girwar,

        Thank you for your feedback.

        Please refer to my responses to other posts on the pricing issue.

        As far as integration is concerned, CVA is fully integrated in ATC. It just has to be activated after you have purchased a license.

        The cloud might be an option for you now or in the future. You can read about it in Olga’s Blog Post: https://blogs.sap.com/2020/08/14/abap-test-cockpit-in-the-cloud-what-is-already-possible/

        Best regards

        Peter

        Author's profile photo Nadeesha Kumurage
        Nadeesha Kumurage

        Hi Peter,

        Could you please explain more how we can get the latest CVA checks timely manner ?

        In your blog you have explained that "New checks are delivered with new SP" which means updating to latest SAP component we can get new CVA checks ?

        Also i want to know if there a way /method we can run ATC check for bundle of transports (Not a single transport) .

        Thanks

        Nadeesha.

        Author's profile photo Harish Bokkasam
        Harish Bokkasam

        Hi Nadeesha,

        The release/avaliablity check per release and SP is detailed in Note 1921820

        It is not possible to run ATC checks on several Transport requests.

        However, you can implement your own object sets and then implement this feature on its own.

        Greetings,

        Harish B.