SAP Module

One language for programming in the SAP® environment is ABAP® [Advanced Business Application Programming]. Development in general is about the creation of new objects for the modification of existing objects.  Security Reviewer analyzes the source code of a group of programs selected by the user, not only ABAP one, it can analyze any SAP supported programming language (BAPI, IDoc, Netweaver and HANA® development scenarios included).

SAP Mass Extractor

You do not have to download your ABAP custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, metadata, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.

Mass Extractor is a secured version of ZDTP_MASSDOWNLOAD, an open source designed by DaleTech® capable of finding as many items as possible of code, metadata, text and documentation needed to successfully download pieces of work for off-line viewing. And if that wasn't enough, we give you the option of downloading in plain ASCII text (.abap suffixed) or in hyperlinked HTML format.

Mass Extractor can retrieve all the following items automatically whilst scanning program code, or they can be downloaded manually as separate entities:

Program source + the following:

  • Individual messages

  • Selection texts

  • Text elements

  • Function modules

  • Database tables and structures

  • Global classes

Global Classes + the following

  • Database structures

  • Database tables

  • Programs

  • Function modules

  • Message classes

  • Module pools

  • Screens

Function modules + the following:

  • Global variable declarations

  • Global includes

  • Function includes

  • Text elements

  • Individual messages

  • Database tables and structures

  • Global classes

  • Documentation

  • Database structures and tables

  • Function groups with all function modules

  • Message classes

Security Reviewer Mass Extractor runs primarily on SAP R/3 Basis 6.20+. Due to demand, we have also made a legacy version available, that runs on R/3 4.6 systems. A more efficient version is also available for 7.00+ and SAP HANA® systems. Mass Extractor can help simplify code backups, allows technical documentation to be created easily and allows programmers to easily view programs and dictionary objects offline.

The following example shows a SAP integration Configuration. Inside Mass Extractor, you can easily configure which custom code you want to extract:

Security Reviewer Mass Extractor consists in an ABAP module that needs to be installed inside your development or stage server. It recursively searches for code, documentation and data dictionary objects and then downloads them in either text or HTML format for easy offline browsing and incorporation into technical documentation.

Mass Extractor Source Code is available to invoiced customers only, for security reasons.

ABAP git

Security Reviewer support scanning code directly from a git-compatible repo, abapGit Community and SAP versions included. abapGit is a tool to import and export code between ABAP systems. If a developer has a developer key to the system, the developer can perform these actions already. abapGit enables the developer to do mass export/changes/imports but not more than already possible to do manually. It can be used from SAP GUI, from Browser or directly from Static Reviewer Desktop, choosing Analysis Type as Repository.

BAPI and IDoc                                                                            

A Business Application Programming Interface (BAPI) is a precisely defined interface providing access to processes and data in business application systems such as R/3. BAPIs are defined as API methods of SAP business object types, available for both JAVA and .NET. A BAPI is implemented as a function module, that is stored and described in the Function Builder, but it can also describe interfaces, implemented outside the R/3 System that can be called in external systems by R/3 Systems.

SAP Intermediate Documents (IDOC) are EDI like documents that are asynchronous in nature. IDOCS are often used in sending business documents (for example sales orders) from your SAP system to a trading partner or other system. With RFC calls to IDOC, the business processing is done immediately albeit on a different thread if we make use of the asynchronous methods described above. IDOCS offer additional queuing and retry capabilities. Security Reviewer, further than detecting all potential vulnerabilities for JAVA and .NET languages (C#, Managed C++ and VB.NET), when SAP Analysis Modules option is installed can analyze also the following BAPI/IDOC interfaces:

  • JAVA BAPI (JAVA RFC, JCo Interface, JCA Interface)

  • JAVA ALE (JCO, JAVA IDoc Class Library)

  • .NET Connector (NCo) for C#, VB.NET and Managed C++

  • BAPI GUI Library

  • Remote Function Calls Components, (RFC SDK, RFC API, RFC Class Library, SAP Logon, Table Factory, Table Tree, Table View and Transaction Controls)


SAP Netweaver                                                                         

SAP NetWeaver® allows interoperability with JAVA application servers (like IBM® WebSphere) and Microsoft® .NET environments. Rather, it is possible to replace JAVA application servers or replace .NET with NetWeaver Application Server. Security Reviewer, further than detecting all potential vulnerabilities for JAVA and .NET languages (C#, Managed C++ and VB.NET), when SAP Analysis Modules option is installed can also analyze the following:

  •       SAP NetWeaver® Development Infrastructure (NWDI) based applications

  •       SAP NetWeaver® Developer Studio (NWDS) application

  •       Web DynPro® applications

  •       .NET Connector (NCo) for C#, VB.NET and Managed C++


SAP HANA® is an in-memory data platform that can be deployed on premise or on demand. At its core, it is an innovative in-memory relational database management system.

The development environment for SAP HANA® supports a wide variety of application-development scenarios.

Application developers can choose between the following scenarios when designing and building applications that access an SAP HANA® data model:

● Native Application Development Native applications are developed and run in SAP HANA, for example, using just SQLScript or the extended application services provided by the SAP HANA XS platform (or both)

● Non-native Application Development Non-native applications are developed in a separate, external environment (for example, ABAP or Java) and connected to SAP HANA® by means of an external application server and a client connection: ADBC, JDBC, ODBC, or ODBO. These more traditional scenarios only use SQL and native SQLScript procedures.

Our SAST tool supports all above programming languages, with automatic recognition of SAP Code, SAP Business Pages, Datamart calculationview, XS JavaScript (XSJS), XMLA and SQLScript procedures included.

Static Analysis of ABAP Code

Inside your ABAP code, Security vulnerabilities, Dead Code, Best Practices, Resilience and Possible Bugs will be detected performing a Static Application Security Test (SAST). Sample of vulnerabilities categories that can be detected:

  •       Dead Code (defined fields never referenced, code never executed, subroutine never called)

  •       Deprecated, Unsupported or Obsolete Functions

  •       SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)

  •       HTTP Abuse (Header, Session or Cookies manipulation)

  • HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)

  •       Information Leak, Privacy Violation, Password management/hardened mistakes

  •       Authentication/hardened Credential mistakes

  •       Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection

  • XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting

  •       Invalid Process Control, Kernel Calls, Dangerous ABAP commands

  •       Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, etc.)

  •       Buffer Overflow

  •       Log Forging

  •       Path Manipulation, Directory Traversal

  •       Database Access and Authorization mistakes

  •       Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)

  •       CSRF (Cross-Site Request Forgery)

  •       Misconfiguration Mistakes

  •       Insecure Cryptography

  •       Poor Error handling/Logging, Poor Input Validation

  •       Dynamic Code, Native Code/Library

Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 2019, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards. A graphical user interface provides navigation through detected vulnerabilities:


Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.

Dead Code, Best Practices and Possible Bugs


Security Reviewer SRA (Software Resilience Analysis) provides the assessment of:

  • Non-Conformance to application resiliency standards and best practices

  • Security and Privacy issues

  • Scalability

  • Risk to your business due to application failures


Further than Security, Deadcode-Best Practices and Resilience analysis, Security Reviewer provides a Quality option, 100% compatible with McCabe IQ®, able to calculate JAVA, .NET and ABAP Quality Metrics (part of SAP Analysis Modules). This last set of Metrics is focused to manage ABAP Programs on a Quality point-of-view as well as some significant Performance issue. ABAP useful metrics are calculated, such as: LOC (Lines Of Code, SLOC, Cyclomatic Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality).