Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Remote Code Analysis in ATC for Developers

OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎02-27-2017 9:11 AM

This is the fifth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).

See also blogs:

But what about developers?

For the Remote Code Analysis a central ATC check system (SAP_BASIS >=7.51) needs to be set up and configured in the system landscape to check multiple systems on different releases. On this central system you can configure the checked systems and ATC run series, then schedule ATC run series, view results in ATC Result Browser, approve or reject exemptions. But on the central system all these tasks are actually mostly for administrators or quality experts.

So what about developers? As a developer you always work in the local checked system and are used to execute your ATC checks directly during your development process there. Do you need now to work in two systems: e.g. check your code in the central ATC system and correct the findings in your local system? Fortunately the answer is NO. All ATC Remote Code Analysis activities during development occur in your local development system. You can execute ATC Remote Code Analysis checks, view ATC results, check your transports with ATC Remote Code Analysis before release, correct findings and request exemptions directly in your local system. This functionality for developers is available with SAP NetWeaver AS ABAP 7.51 SP01.


For you as developer the ATC Remote Code Analysis is only the infrastructure under the hood, which you don’t necessarily need to deal with. You work with ATC as usual in your local system using the advantages of the Remote Code Analysis.

Prerequisites for local developer scenario

1. ATC in a central check system is set up and configured in your landscape as described in the blog Remote Code Analysis in ATC – Technical Setup step by step.

2. The checked systems must be based at least on one of the following SAP_BASIS support package levels or higher: 7.51, 7.50 SP01, 7.40 SP13, 7.31 SP15, 7.02 SP17, 7.01 SP01 (Checks via Code Inspector because ATC is not available in this release), 7.00 SP04 (Checks via Code Inspector because ATC is not available in this release).

Make sure, that the remote functionality for developers of the collective SAP Note 2364916 is implemented in all your checked systems.

3. Implement the following SAP Notes in your local development system:

4. In your local system the ATC central check system must be maintained by your administrator in the Code Inspector (Goto->Management of-> Reference check system😞


5. Check variant for the ATC Remote Code Analysis must be set up in the local development system (MY_DEFAULT in this example) as following:

- In the Code Inspector create new variant:


- Select the radio button In Reference Check System and provide the name of the check variant from the ATC central check system, containing the newest checks (SLIN_SEC in this example):


- Save the check variant

The SLIN_SEC check variant, containing the latest security checks must be RFC-enabled, therefore all selected checks must be RFC-enabled as well (green arrow buttons indicate it) and looks in our example as following:


6. Configure your development system to run the ATC with Remote Code Analysis automatically when releasing a transport (this is currently supported only in the SAP GUI-based Transport  Organizer SE09). Ask your system administrator to set this up (following the documentation Setting Up ATC Transport Checking - ABAP Test and Analysis Tools on SAP Help Portal).

Local developer scenario

Motivation

Imagine a simple scenario. You wrote the ABAP program in your development system and suspect a security violation within SELECT statement. Therefore you are pretty confident, that you will get security errors if you run ATC.
In your local system if you just position the cursor on your program in the Project Explorer in the ABAP Development Tools in Eclipse and execute the check with the ABAP Test Cockpit (context menu Run As -> ABAP Test Cockpit) you will see, that no security violations were detected because your development system does not contain the newest security checks:


NOTE: if ABAP Test Cockpit or ABAP Development Tools (or both) are not available for your system on the older release (e.g. if your development system is on SAP_BASIS < 7.02), then you would need to work with SAP GUI and use Code Inspector. In this case you just execute the checks with Code Inspector using the check variant containing the latest security checks.

Obviously the newest security checks are missing, therefore you need to use Remote Code Analysis in ATC with the latest security checks. Now choose the check variant from the central ATC check system containing the latest security checks (MY_DEFAULT in this example) in your project properties in the ABAP Development Tools in Eclipse (context menu Properties of your project in the Project Explorer)


NOTE: you can also specify the check variant when executing the ATC from the editor (context menu "Run ABAP Test Cockpit With...", e.g.:

Checking your source code

Run ABAP Test Cockpit for your ABAP program again. The newest security checks will detect the risk of the SQL injection:

From the ATC Problems View you can easy navigate to the erroneous source code position (double click on the ATC finding) and display the description of the finding via the error marker in the editor (just hover over the error marker):


Single click on the ATC finding will display the documentation, where you can look up how to correct it:


Checking transports before release

You can also run ATC Remote Code Analysis before transport release. In the Transport Organizer view select your transport request including your ABAP Program with the security risks and run ATC (context menu Run As > ABAP Test Cockpit):


The ATC Problems View will show the same security violation errors for your transport request:

Now you can correct the ATC findings or request exemption.

Requesting exemptions

To request an exemption position the cursor on the ATC finding and choose Request Exemption from the context menu.


More details on exemptions process in the blog Remote Code Analysis in ATC – Working with  Exemptions.

67 Comments
IanStubbings
Active Participant
‎06-19-2019 11:08 AM
0 Kudos
Hi Olga

Also, while I think of it, when setting the Default Check Variant in the ATC setup, does this also affect the variant executed when releasing the transport? Or do I separately need to maintain the entry in the SCICHK_ALTER table?

Regards

Ian
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎07-01-2019 7:34 AM
0 Kudos
Hi Ian,

it is currently not yet possible in the remote ATC scenario to replicate the results from the central check system to the connected checked systems. We are working on it with high priority.

Regards,

Olga.
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎07-01-2019 7:36 AM
0 Kudos
Hi Ian,

yes, the default ATC check variant is also used at transport release.

Regards,

Olga.
IanStubbings
Active Participant
‎07-01-2019 8:12 AM
0 Kudos
Hi Olga

Thanks for the reply. I am trying to replicate the other way round though i.e. I wish to replicate results from the remote system to the central ATC system. Is this possible?  I would like to report on all scans from the central system via CDS views.

 

Thanks

Ian
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎07-01-2019 8:24 AM
0 Kudos
Hi Ian,

it is not possible to replicate local ATC runs to the central ATC check system.

Regards,

Olga.
IanStubbings
Active Participant
‎07-01-2019 11:10 AM
0 Kudos
Hi Olga

 

Ok. Thanks for confirming.

 

Regards

Ian
Tim_T
Participant
‎07-22-2019 1:23 PM
0 Kudos
Hi Olga,

sorry for my late answer.

The note 2624109 was already implemented, but the other one not. Additionally I implemented several other notes (2724914, etc.) now and I hope that I can observe an improvement.

Best regards

Tim
former_member222881
Explorer
‎08-30-2019 7:36 AM
0 Kudos
Hello Olga,

We are trying to set up Remote Code Analysis from satellite system( SAP BASIS 7.31 SP13)  to Central check system(SAP BASIS 7.51 SP8).

When we run from satellite system, we get below error :



When we run from central system using object provider, we are getting tool failures. Can you please guide how to proceed here.



Thanks!!

Regards,

Siji Thomas
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎09-11-2019 3:21 PM
0 Kudos
Hi Thomas,

for such issues please open a ticket to SAP.

Regards,

Olga.
former_member446835
Explorer
‎09-12-2019 3:17 PM
0 Kudos

Hello Olga,

Following the answer you indicated to Olaf, our execution of the job in the ATC with the variant S4HANA_READINESS_REMOTE reports us more than 60,000 dumps per day: SAPSQL_PARSE_ERROR CX_SY_DINAMIC_OSQL_SYNTAX:

I have tried to import SAP Notes 2364916 and 2375864 but they are not implementable in my Development System is a NW 7.4 SPS18 and my Central System is a NW 7.52 SPS2. While answering Tim, I have also tried to implement SAP Note 2487726 but it is not implementable either, notes 2624109 and 2707315 if they are implementable but it has nothing to do with my error. Can you help me correct this dump?

Regards.

Jordi.

 

OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎09-13-2019 4:18 PM
0 Kudos
Hi Jordi,

for such issues please open a ticket to SAP.

Best Regards,

Olga.
IanStubbings
Active Participant
‎02-21-2020 7:40 AM
0 Kudos
Hi Olga

When changing a function module, the whole function group is then scanned and when changing a method the whole class is scanned. Findings are therefore often reported on areas that a current developer have not touched - even if a baseline is in place.

Is it possible to only scan the immediate object rather than the whole object?

Thanks

Ian
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎02-21-2020 2:24 PM
0 Kudos
Hi Ian,

unfortunately it is not possible: ATC scans only main objects, not sub-objects or parts.

Bye,

Olga.
IanStubbings
Active Participant
‎02-21-2020 3:05 PM
0 Kudos
Thanks Olga.

I suspected as much but thought I'd check.

Cheers

Ian
Goutam
Explorer
‎05-15-2023 11:43 AM
0 Kudos
Hi Olga,

First of all the very helpful blog for set up the developer scenario. We did for S/4 HANA readiness but when we wanted to check in satellite system as per object we have below issue - would be possible for you to guide how to proceed here.


 

Thanks

Goutam
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎05-15-2023 12:56 PM
0 Kudos
Hi Goutam,

unfortunately I cannot see from the screenshot above where this error happens. Generally the result of an ATC check reports as "tool failure" that prerequisites for the execution of one or more checks were missing. Please check if the prerequisites for the local developer scenario (described in the blog) are fulfilled in your development system. If all prerequisites are fulfilled but the error still exists I would recommend to search in the knowledge base of the SAP support launchpad for the SAP note which could help to resolve the issue. If it still doesn't help, please open a ticket to SAP.

Kind Regards,

Olga.
Goutam
Explorer
‎05-15-2023 2:03 PM
Hi Olga,

Thank you for your quick response. Here there was no result displayed but the code has issues to be detected. It was showing such issues instantly during run.

I will check as you suggested.

Thanks

Goutam
Labels in this area
Popular Blog Posts