CVA: Code vulnerability analysis

CVA is a licensed SAP tool to scan custom code for potential security issues.

CVA is built in code inspector and analysis is run via the ATC tool.

Questions that will be answered in this blog are:

  • What checks does CVA perform?
  • How to activate CVA?
  • Is CVA licensed?
  • Where to find more information on CVA?

Activating CVA

SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:

The activation refers to OSS note 1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc.

Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!

Check the bug fix OSS notes below. Apply them before your first run.

Checks in detail

The SAP CVA checks can be seen in SCI variant SLIN_SEC:

And then open the variant and click the information button for details:

A full list of checks can also be found on this SAP blog.

And per netweaver version the checks are listed in OSS note 1921820 – SAP Code Vulnerability Analyzer – support package planning.

Setting up ATC variant and run

Start transaction ATC and press Schedule Run:

First create a new variant and refer to SCI variant SLIN_SEC:

Now schedule the run for your Z code:

The run can take a few hours.

More on ATC set up and running can be found in this blog.

Run results

Start transaction ATC and go to the results part:

Select your run:

The ATC result screen will show, but list can be very long:

Both Z programs and user exits will be shown (starting with S or X).

Press the Statistics View button top right to get a better overview:

The result list is now sorted per security item:

Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.

Now you can zoom in to the issue per item by clicking on the line:

The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:

In this case hard coded break for a user. Fix is easy: delete the line of code.

Remote analysis

It is possible to use ATC remote analysis (see blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation.

Checking license usage

Run program RSLIN_SEC_LICENSE_SETUP to check license usage:

Or run this from transaction SLIN_ADMIN.

SAP reference material

Generic presentation on SAP CVA can be found on this link.

CVA FAQ: follow this link.

CVA full list of checks: follow this link.

CVA as part of CI/CD development pipeline: follow this link.

ABAP code security issues explained: follow this link.

Bug fix and improvement notes

Bug fix and improvement OSS notes:

Data archiving: Financial documents

This blog will explain how to archive financial documents via object FI_DOCUMNT. Generic technical setup must have been executed already, and is explained in this blog.

Object FI_DOCUMNT

Go to transaction SARA and select object FI_DOCUMNT.

Dependency schedule:

No dependencies.

Main tables that are archived:

  • BKPF (accounting document header)
  • BSAD (accounting document secondary index for customers)
  • BSAK (accounting document secondary index for vendors)
  • BSAS (accounting document secondary index for GL accounts cleared items)
  • BSEG / RFBLG (cluster for accounting document)

Technical programs and OSS notes

Write program: FI_DOCUMNT_WRI

Delete program: FI_DOCUMNT_DEL

Post processing program: FI_DOCUMNT_PST

Read program: read program in SARA refers to FAGL_ACCOUNT_ITEMS_GL. This program you can use with online data and archive files as data source

Reloading of FI_DOCUMNT was supported in the past, but not any more: 2072407 – FI_DOCUMNT: Reloading of archived data.

Relevant OSS notes:

Application specific customizing

In the application specific customizing for FI_DOCUMNT you can maintain the document retention time settings:

Executing the write run and delete run

In transaction SARA, FI_DOCUMNT select the write run:

Select your data, save the variant and start the archiving write run.

Give the archive session a good name that describes the company code and year. This is needed for data retrieval later on.

After the write run is done, check the logs. FI_DOCUMNT archiving has average speed, and high percentage of archiving (up to 90 to 99%). Most of the items that cannot be archived is about open items.

Deletion run is standard by selecting the archive file and starting the deletion run.

Post processing

It is important to run the post processing of FI_DOCUMNT. After the archiving BSAK, BSAS and BSIS secondary table records are still present with the field ARCHIV marked with ‘X’. See notes 2683107 – Archived items still exist in BSAK and 2775018 – Archived items still exist in BSAK.

Standard SAP will deal correctly with this field. But custom made reports and the average BI data analyst will not.

So run post processing directly after the deletion run.

Data retrieval

For FI_DOCUMNT multiple read programs are available. To select them press the F4 search:

Start the program and select the button Data Source, tick the archive as well and select the archive files to read:

Due to data volume the query might run long. Select the archive files with care.

Most finance programs to list data use this Data Source principle.

SARI infostructure issues

If you get issues for sessions which are in error in SARI for infostructure SAP_FI_DOC_002, read the below potential work around.

The reason we see the errors for the archive session when we attempt to refill is that there are a number of documents that already exist in the infostructures, and there cannot be duplicates in the infostructure table.

The most common cause is that the variant for the WRITE program was set so the same document got archived twice into different archive files.

What can be done? If it is OK to have the same document in different files, you can ignore the archive session entries with error in SARI if the case is as above. To avoid having duplicate keys in the infostructure in future, you can add the filename as an extra key field to the infostructure. This can be done as follows:

  • SARI -> Customizing -> SAP_FI_DOC_002 -> Display
  • Technical data
  • Change the field “File Name Processing” from ‘D’ to ‘K’.

This is untested method.

Parallel processing

There is an option to archive Financial documents in parallel processing mode. This is an advanced development option. It uses archiving object FI_DOC_PPA. For more information read OSS note 1779727 – FI_DOCUMNT: Integrating parallel process with archiving.

If your data volume is manageable and you can archive during nights and weekends, keep it simple and use FI_DOCUMNT.

DST daylight saving time

3277061 – ABAP Date/Time Conversion with DST for SELECT_MESSAGES

DST (daylight saving time) starts in the spring (= a loss of one hour) and ends in the fall (= a gain of one hour ). For clock adjustment, one must remember “Spring forward, Fall back”.

Spring forward:

Fall backward:

Method 1: shut down the system

During the switch, simply shutdown the SAP system, for the entire duration of the double hour, and bring it up only after the double hour has passed. Thus, the SAP Kernel software does not have to deal with any possible mismatch of standard time and local time. The big setback off course is that you have work shutting down and starting up the systems in the middle of the night. And the business cannot work during this time. Long running weekend jobs might be interrupted as well and need to be redone.

Method 2: zero downtime by slowing down the time

Slow down the time by half, during the double hour, so that the 2 hour period is treated as one hour.

In SAP, executing this is easier than it appears by setting the parameter zdate/DSTswitch_contloctime = on which is default in the latest kernel release 6.40 and higher, so that you can make your SAP system see a continuous time with a deviation of 30 minutes.

During the conversion from summer time to winter time, there is a “doubled” hour.  In Europe, for example, the summer time is reset to winter time on the last Sunday in October between 2 a.m. and 3 a.m.

1:00    1:30    2:00    2:30    2:00    2:30    3:00 official time

–+——+—–x+xxxxx+xxxxxx+xxxxxx+xxxxxx+x—

How to check the time zone at different levels

  • Run the report from SA38: TZCUSTHELP (trouble shooting time zone)
  • Run the report from SA38: RSDBTIME (time diagnosis)
  • Run this function module in SE37: TZ_SYSTEM_GET_TZONE
  • Run this report fromSA38: TZONECHECK 

DST in non-ABAP systems

For DST in non-ABAP systems check these notes:

References

Excellent blog from SAP: Daylight Saving Time and Slowing Down The Time.

Reference OSS notes:

ABAP programming DST specific notes:

BTE events

BTE events are Business Transaction Events. These events can be used to put custom specific logic in ABAP code interface when this event occurs.

It is used by standard SAP, partner software, and you can create your own interfaces.

Pros and cons

The BTE can solve business specific issues in a graceful way with custom code. This is a large pro.

The biggest con is that the technique is hardly known. When there are issues inside the Z coding for BTE, they are tough to spot and to detect. Good documentation is required of the event usage (both on paper specification and inside the Z code).

BTE events

The main transaction for BTE events is FIBF:

The screen is indeed empty.

The main parts are below Settings and Environment.

To list all the events, choose Environment, Info System (P/S):

And the result screen:

If you select a line and press the Display Act Comp button, you can see the details, including the existence of a customer implementation:

Background and references

Many good blogs already exist. So no need to repeat here.

List of blogs and sites: