Blog for SAP technical guru's: SAP basis, SAP security and authorization, SAP ABAP, SAP Focused Run
abap
SREPO is a tool to compare multiple ABAP code programs across 2 systems.
The background can be found in OSS note 1368474 – System comparison tool SREPO Version 2.0.
Start transaction SREPO. Enter the RFC between the 2 systems and the list of objects to compare:
Then press the button Object Intersection. Result list is a list of programs existing in either one or both the systems:
Select a single program and start the Version Comparison:
CVA is a licensed SAP tool to scan custom code for potential security issues.
CVA is built in code inspector and analysis is run via the ATC tool.
Questions that will be answered in this blog are:
SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:
The activation refers to OSS note 1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc.
Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!
Check the bug fix OSS notes below. Apply them before your first run.
The SAP CVA checks can be seen in SCI variant SLIN_SEC:
And then open the variant and click the information button for details:
A full list of checks can also be found on this SAP blog.
And per netweaver version the checks are listed in OSS note 1921820 – SAP Code Vulnerability Analyzer – support package planning.
Start transaction ATC and press Schedule Run:
First create a new variant and refer to SCI variant SLIN_SEC:
Now schedule the run for your Z code:
The run can take a few hours.
More on ATC set up and running can be found in this blog.
Start transaction ATC and go to the results part:
Select your run:
The ATC result screen will show, but list can be very long:
Both Z programs and user exits will be shown (starting with S or X).
Press the Statistics View button top right to get a better overview:
The result list is now sorted per security item:
Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.
Now you can zoom in to the issue per item by clicking on the line:
The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:
In this case hard coded break for a user. Fix is easy: delete the line of code.
It is possible to use ATC remote analysis (see blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation.
Run program RSLIN_SEC_LICENSE_SETUP to check license usage:
Or run this from transaction SLIN_ADMIN.
Generic presentation on SAP CVA can be found on this link.
CVA FAQ: follow this link.
CVA full list of checks: follow this link.
CVA as part of CI/CD development pipeline: follow this link.
ABAP code security issues explained: follow this link.
Bug fix and improvement OSS notes:
BTE events are Business Transaction Events. These events can be used to put custom specific logic in ABAP code interface when this event occurs.
It is used by standard SAP, partner software, and you can create your own interfaces.
The BTE can solve business specific issues in a graceful way with custom code. This is a large pro.
The biggest con is that the technique is hardly known. When there are issues inside the Z coding for BTE, they are tough to spot and to detect. Good documentation is required of the event usage (both on paper specification and inside the Z code).
The main transaction for BTE events is FIBF:
The screen is indeed empty.
The main parts are below Settings and Environment.
To list all the events, choose Environment, Info System (P/S):
And the result screen:
If you select a line and press the Display Act Comp button, you can see the details, including the existence of a customer implementation:
Many good blogs already exist. So no need to repeat here.
List of blogs and sites:
As ABAP developer you need to search for a user-exit and/or BADI for a certain transaction.
The helper program below can help you here. Copy and paste the source code and run the program:
Enter the transaction code and let the program search. Results will show:
You can click on the exit or badi name to jump to the definition.
REPORT zbadi NO STANDARD PAGE HEADING.
*& Enter the transaction code that you want to search through in order *
*& to find which Standard SAP User Exits exists. *
TABLES : tstc, "SAP Transaction Codes
tadir, "Directory of Repository Objects
modsapt, "SAP Enhancements - Short Texts
modact, "Modifications
trdir, "System table TRDIR
tfdir, "Function Module
enlfdir, "Additional Attributes for Function Modules
tstct, "Transaction Code Texts
rsstcd,
trkey.
*&---------------------------------------------------------------------\*
*& Definition of Types *
*&---------------------------------------------------------------------\*
TYPES: BEGIN OF t_badi_list,
obj_name TYPE sobj_name,
devclass TYPE devi_class,
dlvunit TYPE dlvunit,
imp_name TYPE exit_imp,
packname TYPE devclass,
dlvunit2 TYPE dlvunit,
text TYPE sxc_attrt-text,
END OF t_badi_list.
TYPES: BEGIN OF t_badi_list2,
obj_name TYPE sobj_name,
devclass TYPE devi_class,
dlvunit TYPE dlvunit,
END OF t_badi_list2.
*&---------------------------------------------------------------------\*
*& Data Declaration *
*&---------------------------------------------------------------------\*
DATA: lt_badi_list TYPE TABLE OF t_badi_list,
lt_badi_list2 TYPE TABLE OF t_badi_list2,
ls_badi_list TYPE t_badi_list OCCURS 0 WITH HEADER LINE,
ls_badi_list2 TYPE t_badi_list2.
RANGES: r_badi FOR tadir-obj_name ,
rt_badi FOR tadir-obj_name .
*&---------------------------------------------------------------------\*
*& Variables *
*&---------------------------------------------------------------------\*
DATA : jtab LIKE tadir OCCURS 0 WITH HEADER LINE,
p_trkey LIKE trkey.
DATA : field1(30),
badiname(20),
count TYPE p.
DATA : v_devclass LIKE tadir-devclass,
p_devclass LIKE tadir-devclass,
p_old_langu LIKE sy-langu,
p_mod_langu LIKE sy-langu.
*&---------------------------------------------------------------------\*
*& Selection Screen Parameters *
*&---------------------------------------------------------------------\*
SELECTION-SCREEN BEGIN OF BLOCK a01 WITH FRAME TITLE TEXT-001.
SELECTION-SCREEN SKIP.
PARAMETERS : p_tcode LIKE tstc-tcode OBLIGATORY.
SELECTION-SCREEN SKIP.
SELECTION-SCREEN END OF BLOCK a01.
*&---------------------------------------------------------------------\*
*& Start of report *
*&---------------------------------------------------------------------\*
START-OF-SELECTION.
* Validate Transaction Code
SELECT SINGLE * FROM tstc WHERE tcode EQ p_tcode.
*Find Repository Objects for transaction code
IF sy-subrc EQ 0.
SELECT SINGLE * FROM tadir WHERE pgmid = 'R3TR'
AND object = 'PROG'
AND obj_name = tstc-pgmna.
MOVE: tadir-devclass TO v_devclass.
IF sy-subrc NE 0.
* This section is used if a FGR is involved\!
CALL FUNCTION 'RS_ACCESS_PERMISSION'
EXPORTING
global_lock = 'X'
object = p_tcode
object_class = 'TRAN'
mode = 'SHOW'
language_upd_exit = 'RS_TRANSACTION_LANGUAGE_EXIT'
suppress_language_check = space
IMPORTING
new_master_language = p_old_langu
modification_language = p_mod_langu
transport_key = p_trkey
devclass = p_devclass
EXCEPTIONS
canceled_in_corr = 1
OTHERS = 2.
IF sy-subrc = 0. " Success
MOVE: p_devclass TO v_devclass.
ELSE. " For the case that nothing is found\!
SELECT SINGLE * FROM trdir WHERE name = tstc-pgmna.
IF trdir-subc EQ 'F'.
SELECT SINGLE * FROM tfdir WHERE pname = tstc-pgmna.
SELECT SINGLE * FROM enlfdir WHERE funcname = tfdir-funcname.
SELECT SINGLE * FROM tadir WHERE pgmid = 'R3TR'
AND object = 'FUGR'
AND obj_name = p_devclass.
MOVE: tadir-devclass TO v_devclass.
ENDIF.
ENDIF.
ENDIF.
*Find SAP Modifactions
SELECT * FROM tadir INTO TABLE jtab
WHERE pgmid = 'R3TR'
AND object = 'SMOD'
AND devclass = v_devclass.
SELECT SINGLE * FROM tstct WHERE sprsl EQ sy-langu
AND tcode EQ p_tcode.
FORMAT COLOR COL_POSITIVE INTENSIFIED OFF.
WRITE:/(19) 'Transaction Code - ', 20(20) p_tcode, 45(50) tstct-ttext.
FORMAT COLOR COL_POSITIVE INTENSIFIED ON.
SKIP.
WRITE:/1 'The application area is:', v_devclass.
SKIP.
IF NOT jtab[] IS INITIAL.
WRITE:/(95) sy-uline.
FORMAT COLOR COL_HEADING INTENSIFIED ON.
WRITE:/1 sy-vline, 2 'Exit Name', 21 sy-vline, 22 'Description', 95 sy-vline.
WRITE:/(95) sy-uline.
LOOP AT jtab.
SELECT SINGLE * FROM modsapt
WHERE sprsl = sy-langu
AND name = jtab-obj_name.
FORMAT COLOR COL_NORMAL INTENSIFIED OFF.
WRITE:/1 sy-vline, 2 jtab-obj_name HOTSPOT ON, 21 sy-vline , 22 modsapt-modtext,
95 sy-vline.
ENDLOOP.
WRITE:/(95) sy-uline.
DESCRIBE TABLE jtab.
SKIP.
FORMAT COLOR COL_TOTAL INTENSIFIED ON.
WRITE:/ 'No of Exits:' , sy-tfill.
SKIP.
WRITE:/(83) sy-uline.
FORMAT COLOR COL_HEADING INTENSIFIED ON.
WRITE:/1 sy-vline, 2 'Badi Name', 22 sy-vline, 23 'Description', 83 sy-vline.
WRITE:/(83) sy-uline.
* select the BAdI Definitions from the tables sxc_exit and sxc_attr
SELECT t~obj_name t~devclass tc~dlvunit sx~imp_name sat~text
INTO CORRESPONDING FIELDS OF TABLE lt_badi_list
FROM ( ( ( ( tadir AS t
INNER JOIN
tdevc AS tc ON t~devclass = tc~devclass )
INNER JOIN
sxc_exit AS sx ON sx~exit_name = t~obj_name )
INNER JOIN
sxc_attr AS sa ON sx~imp_name = sa~imp_name )
INNER JOIN
sxc_attrt AS sat ON sx~imp_name = sat~imp_name )
WHERE t~pgmid = 'R3TR'
AND t~object = 'SXSD' "means BAdI
AND t~devclass = v_devclass "narrow down seach with Dev.Class
AND sat~sprsl = sy-langu.
SORT lt_badi_list.
DELETE ADJACENT DUPLICATES FROM lt_badi_list.
* create Ranges
LOOP AT lt_badi_list INTO ls_badi_list .
r_badi-sign = 'I' .
r_badi-option ='EQ' .
r_badi-low = ls_badi_list-imp_name .
r_badi-high = ls_badi_list-imp_name .
APPEND r_badi TO rt_badi .
ENDLOOP.
* select the implementations
SELECT t~obj_name t~devclass tc~dlvunit
INTO CORRESPONDING FIELDS OF TABLE lt_badi_list2
FROM tadir AS t
INNER JOIN
tdevc AS tc ON t~devclass = tc~devclass
FOR ALL ENTRIES IN rt_badi
WHERE t~obj_name = rt_badi-low
AND t~pgmid = 'R3TR'
AND t~object = 'SXCI'.
FORMAT COLOR COL_NORMAL INTENSIFIED OFF.
WRITE:/(83) sy-uline.
count = '0'.
LOOP AT lt_badi_list INTO ls_badi_list .
WRITE:/1 sy-vline, 2 ls_badi_list-obj_name HOTSPOT ON, 22 sy-vline,
23 ls_badi_list-text, 83 sy-vline.
count = count + 1.
ENDLOOP.
WRITE:/(83) sy-uline.
DESCRIBE TABLE ls_badi_list.
SKIP.
FORMAT COLOR COL_TOTAL INTENSIFIED ON.
WRITE:/ 'No of BADIs:' , count.
ELSE.
FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
WRITE:/(95) 'No User Exit exists'.
ENDIF.
ELSE.
FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
WRITE:/(95) 'Transaction Code Does Not Exist'.
ENDIF.
*&---------------------------------------------------------------------\*
*& Call SMOD or SE18 to lead the user to the selected exit or badi *
*&---------------------------------------------------------------------\*
AT LINE-SELECTION.
GET CURSOR FIELD field1.
IF field1(4) EQ 'JTAB'.
SET PARAMETER ID 'MON' FIELD sy-lisel+1(10).
CALL TRANSACTION 'SMOD' AND SKIP FIRST SCREEN.
ELSEIF field1(12) EQ 'LS_BADI_LIST'.
CALL FUNCTION 'SXO_BADI_SHOW'
EXPORTING
exit_name = sy-lisel+1(20)
EXCEPTIONS
action_canceled
access_failure
badi_not_exixting.
ELSE.
ENDIF.
In some cases you need to regenerate specific coding and tables. An SGEN is too extensive for your situation.
Use program TOUCHSRC:
Or worst case program TOUCHALL:
For table regeneration run program TOUCHTAB:
And TOUCHINC for includes in table structures:
To perform a check concerning the consistency between the ABAP dictionary and the runtime object, use the ABAP program RSNTABCONSISTENCY. To perform a check concerning the consistency between the database and the runtime object, use the ABAP program RUTDBCHK. Read more in OSS note 526394 – Information about ABAP Dictionary error analysis.
Background OSS notes:
Best practice notes:
TRDIR and TADIR are the tables behind programs and table data.
The below section is for experts only. Sometimes direct interception in TRDIR or TADIR is needed to solve nasty upgrade and support package issues. But if you don't know what you are doing: don't touch and raise message to SAP.
TADIR contains the development objects list.
For example you want to know how many Z classes are created in your system, search in TADIR with SE11 and count the records:
Using TADIR with a search on DEVCLASS $TMP will give you a list with all programs in the $TMP (temp) space.
TADIR also has information about the original system. To change: follow the instructions in this blog.
TADIR does not contain a program editor lock. This is stored in table PROGDIR. See more in this blog.
Background notes on TADIR:
TRDIR is a view on table REPOSRC. REPOSRC contains the actual ABAP source codes in RAWSTRING format. In some cases inconsistencies between TRDIR and TADIR might happen (mainly during upgrades). Direct interception on TADIR or TRDIR level might be needed, if you know what you are doing.
Transaction STDR can be used to check consistency:
Background notes on TRDIR:
Clean ABAP is the ABAP variant of the clean code principles. All background on clean ABAP code can be read in this blog.
This blog will explain how to upload the ABAP coding for the Clean ABAP ATC variant in your system and activate it.
To load the ATC variant code for clean ABAP you first need to install the ABAP Git code. Follow the instructions in this blog to do so. Simplest is the offline variant.
Now go to the Github code pal site for ABAP clean code and download the package:
Select the button Code and choose the option Download ZIP.
Now start the ABAP git that you loaded in your first step. Choose the option New Offline:
Give the repository a name and select a package:
Then push the button Create Offline Repo.
Now select Import Zip:
Import the file you downloaded in step 2 from the code pal site.
Next step is the Pull zip:
You might get a screen with differences. Do not select anything there, only press Ok.
Then wait until all the Y objects are pulled into the system. This might take 5 to 10 minutes.
Now start transaction SCI. Select menu option Code Inspector, Management of, Tests. Select all the newly load Y checks for Clean ABAP code:
Important now: Save them!
Now you can create a global SCI variant:
Select all the Clean code ABAP checks and save the variant:
You might get weird issues upon saving for other items, like for example missing CL_CI_CATEGORY_TOP. In that case, go to transaction SE16 -> look for table SCITESTS -> and look for CL_CI_CATEGORY_TOP if there is no entry. Enter the table SCITESTS and click "Create Entry", add CL_CI_CATEGORY_TOP entry and save.
Take a program you want check. Then select menu option Program, Check, ABAP Test Cockpit with….:
Select the ZCLEAN_ABAP SCI check we created above. Run the checks.
Results:
Tip: click on the blue line to jump to the Clean Code site exactly explaining about the issue.
To speed up clean ABAP in practice, you can install the clean ABAP cleaner plug-in. Read this blog on how to do this.
Clean ABAP is the ABAP implementation of Clean code. Clean code is one of the key principles to adhere to when going Agile. Clean code is part of agile software development craftmanship. Read more on clean code in the original book.
Clean ABAP is published and maintained on a dedicated Clean ABAP Github site.
The site itself is excellent and also has a special chapter how to best start with Clean ABAP.
The site is extensive and might be overwhelming. If you are a more traditional person, you can also read the SAP Press book on Clean ABAP code.
Blog on SAP site on clean ABAP can be found here and here.
The Clean ABAP explanation on the site contains both patterns (how you should do) and anti-patterns (how you should not do).
Anyhow the Clean ABAP principles are fully built on Object Orientation. That is a must.
Regardless if your organization is doing Agile or Waterfall development, or other development methodologies, Clean ABAP can be applied anyhow.
First step is to embrace the Clean ABAP as a principle direction. It will take time to get there. Not all developers will pick up as fast as you might want to. It also takes time to refactor old code to the Clean ABAP principles.
Discuss as developers as a team which part of the principles and improvements you want to pick up first. If you master a few, you can make it mandatory. Then take the next set. Some might pick up more at a higher pace. But keep the discussion going to improve and pick up every 2 weeks (sprint) at least 1 improvement item.
For a nice overview: read this SAP blog.
You can make the Clean ABAP code rules a part of your peer review or pair programming.
There is an ATC variant that can be uploaded that check for the clean ABAP code rules. Read this blog for instructions on how to do this.
The boy scout rule is as follows: leave the place nicer than when you arrived, even though you didn’t make the mess. When you do this repetitively the world becomes a cleaner place.
This also applies to poor code: don’t just do your change, but take along some minor improvements as well. When you do this a couple of times, the poor code will improve every time towards good code.
But this principle you also need to embrace and explain. There might be unlucky situations where the clean up part might cause unexpected bug. This might happen in 0.01% of the cases. When it happens you might get resistance and pushback. But stand up for the principle, and simply correct the bug. It is worth it in the long run.
To speed up clean ABAP in practice, you can install the clean ABAP cleaner plug-in. Read this blog on how to do this.
New input welcome, leave a comment!
Competence is limited, incompetence is unlimited
Below each level of incompetence there a next level of even worse incompetence
We don't need to remove the BigTruck button in STMS since nobody will be so stupid to start the ImportAll
Fundamental laws of stupidity: 1. Everybody underestimates the amount of stupid people 2. Stupidity is not related to any other characteristic of a person 3. Stupid people damage others and themselves 4. Not-stupid people underestimate the damage of stupid people 5. Stupid people are more dangerous than smart criminals
This blog will explain how to integrate SO10 standard text in webdynpro. It will also show how to use this to integrate it into page on the right after logon (see also this blog).
Start transaction SO10 and create text for logon:
Now enter the text and save it:
We have entered text (as explained in SO10 blog). Important: add the <br/> tags to create the line break.
We will now setup webdynpro screen into which we will integrate SO10 text above.
Go to SE80 and create webdynpro Z_LOGON_INFO and go to the main view context and create this structure:
This is the data container for the string to show on the screen.
In the Layout View add element for logon text of type FormattedTextView:
Bind the text from the data element:
And map the data source:
In the view go to the methods and fill the WDDOINIT method:
Full code:
METHOD wddoinit . DATA: lt_table TYPE TABLE OF tline, ls_table TYPE tline, iv_textname TYPE tdobname VALUE 'Z_TEXT_FOR_LOGON', "Text created in SO10. lv_string TYPE string, ex_lines TYPE string. DATA lo_nd_data TYPE REF TO if_wd_context_node. DATA lo_el_data TYPE REF TO if_wd_context_element. DATA ls_data TYPE wd_this->element_data. CONSTANTS: lc_txtid(4) TYPE c VALUE 'ST', lc_txtobj(10) TYPE c VALUE 'TEXT'. CALL FUNCTION 'READ_TEXT' EXPORTING id = lc_txtid name = iv_textname language = sy-langu object = lc_txtobj TABLES lines = lt_table. LOOP AT lt_table INTO ls_table. CONCATENATE ex_lines ls_table-tdline INTO ex_lines SEPARATED BY space. ENDLOOP. lo_nd_data = wd_context->get_child_node( name = wd_this->wdctx_data ). lo_el_data = lo_nd_data->get_element( ). lo_el_data->set_attribute( name = 'SO10TEXT' value = ex_lines ). ENDMETHOD.
The code calls with function module READ_TEXT the text set into Z_TEXT_FOR_LOGON and binds it to the SO10TEXT element. Remark: the formatted text in webdynpro now processes the </BR> settings.
And create the webdynpro application:
And test it:
The formatted text is processed by class CL_WD_FORMATTED_TEXT. See help.sap.com on this. Restrictions are listed (like no use of commands), and list of allowed tags.
Adding a URL to the standard text and show it in webdypro is not possible (as far as known). To add a URL, add to LinkToUrl item in the webdynpro.
Now we follow the instructions from the blog on the logon text. Start transaction SM30_SSM_CUST and set the parameter SESS_URL:
Now log on again:
