One language for programming in the SAP® environment is ABAP® [Advanced Business Application Programming]. Development in general is about the creation of new objects for the modification of existing objects.  Security Reviewer analyzes the source code of a group of programs selected by the user, not only ABAP one, it can analyze any SAP supported programming language (BAPI, IDoc, Netweaver and HANA HANA® development scenarios included).

Supported Versions

• ABAP - from 4.6C to 7.58

• SAP S/4 HANA from 1511 to 2005

• SAP NetWeaver from 7.0 to 7.5

SAP Mass Extractor

You do not have to download your ABAP custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, metadata, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.

Mass Extractor is a secured version of ZDTP_MASSDOWNLOAD, an open source designed by DaleTech DaleTech® capable of finding as many items as possible of code, metadata, text and documentation needed to successfully download pieces of work for off-line viewing. And if that wasn't enough, we give you the option of downloading in plain ASCII text (.abap suffixed) or in hyperlinked HTML format.

...

Security Reviewer Mass Extractor runs primarily on SAP R/3 Basis 6.20+. Due to demand, we have also made a legacy version available, that runs on R/3 4.6 systems. A more efficient version is also available for 7.00+ and SAP HANA HANA® systems. Mass Extractor can help simplify code backups, allows technical documentation to be created easily and allows programmers to easily view programs and dictionary objects offline.

...

•       SAP NetWeaver® Development Infrastructure (NWDI) based applications

•       SAP NetWeaver® Developer Studio (NWDS) application

•       Web DynPro® applications

•       .NET Connector (NCo) for C#, VB.NET and Managed C++

SAP HANA

SAP HANA HANA® is an in-memory data platform that can be deployed on premise or on demand. At its core, it is an innovative in-memory relational database management system.

The development environment for SAP HANA HANA® supports a wide variety of application-development scenarios.

Application developers can choose between the following scenarios when designing and building applications that access an SAP HANA HANA® data model:

● Native Application Development Native applications are developed and run in SAP HANA, for example, using just SQLScript or the extended application services provided by the SAP HANA XS platform (or both)

...

● Non-native Application Development Non-native applications are developed in a separate, external environment (for example, ABAP or Java) and connected to SAP HANA HANA® by means of an external application server and a client connection: ADBC, JDBC, ODBC, or ODBO. These more traditional scenarios only use SQL and native SQLScript procedures.

...

•       Dead Code (defined fields never referenced, code never executed, subroutine never called)

•       Deprecated, Unsupported or Obsolete Functions

•       SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)     

• Insecure Randomness   

• HTTP Abuse (Header, Session or Cookies manipulation)

• HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)

•       Information Leak, Privacy Violation, Password management/hardened mistakes

•       Authentication/hardened Credential mistakes

•       Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection

• XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting

•       Invalid Process Control, Kernel Calls, Dangerous ABAP commands

•       Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, Sleep, SQL DoS, etc.)

•       Buffer Overflow

•       Log Forging

•       Path Manipulation, Directory Traversal

•       Database Access and Authorization mistakes

•       Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)

•       CSRF (Cross-Site Request Forgery)

•       Misconfiguration Mistakes

•       Insecure Cryptography, Invalid key Management

•       Poor Error handling/Logging, Poor Input Validation

•       Dynamic Code, Native Code/Library, Usrer-controlled dynamic calls/transactions

• Test code/BREAK-POINT found in production

• Abuse of System calls

Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 20192023, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards. A graphical user interface provides navigation through detected vulnerabilities:

Security

Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.

...

Dead Code, Best Practices and Possible Bugs

...

Further than Security, Deadcode-Best Practices and Resilience analysis, Security Reviewer provides a Quality option, 100% compatible with McCabe IQ®, able to calculate JAVA, .NET and ABAP Quality Metrics (part of SAP Analysis Modules). This last set of Metrics is focused to manage ABAP Programs on a Quality point-of-view as well as some significant Performance issue. ABAP useful metrics are calculated, such as: LOC (Lines Of Code, SLOC, Cyclomatic Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality).

...