ABAP Code Inspector & Security

All:
I am currently looking into the Code Inspector that is built into SAP that allows developers to run test/checks on their code related to performance, syntax, and as noted "security". I am trying to track down what exactly the "security" is being checked. I am running tests on my internal SAP systems to see how it acts, but I wanted to get any feedback from the security community on a few things
1) What "security" checks does the Code Inspector actual check for?
2) Is there an location with updated documentation from SAP (not dated 2002) which speaks to the security componet, not just mentioned it?
3) Any useful use-cases within the security community that your organization/clients are using?
Thanks,
Matt Urban

Hi,
if you display a check variant in SCI there is info linked to each node (icon with I). For example calling C-routine is a security risk. Also dynamic statements are good example of security risk. You need to validate input properly before executing dynamic statement. Not sure about documentation but documentation available in SCI seems OK to me.
On one project we used SCI to check any custom development (not only security). It helped us to increase quality of custom development. Especially, with less skilled developers.
Cheers

Similar Messages

  • Execute ABAP Code Inspector from Outside of SAP

    Hi all...
    For reporting purpose, I would like to use ABAP Code Inspector (transaction SCI) for generating output as a file, it should call from outside of SAP through RFC function module and generate the list (output) as flat file (or XML), does anyone have been done with similar work like this? I wonder if you could share your experience with me...
    thanks in advance,
    yayan irianto.

    I managed to set up the variant, however found a problem.
    I used "Search ABAP Statement Patterns" under "Search Functs" and set the pattern like followings.
    SELECT + INTO *
    SELECT SINGLE + INTO *
    However following statements were detected.
    SELECT * INTO TABLE IT_DRAW FROM DRAW.
    SELECT MANDT INTO TABLE IT_DRAW FROM DRAW.
    SELECT SINGLE * INTO TABLE IT_DRAW FROM DRAW.
    SELECT SINGLE MANDT INTO TABLE IT_DRAW FROM DRAW.
    It's because + means one ABAP token in the code inspector.
    Is there anyway to find only "SELECT SINGLE *" and "SELECT *" ?

  • Abap code inspector (tx : SCI) to detect certain patterns

    Hello Experts,
    I want to use SAP Code Inspector to detect common problematic ABAP codes for all developed programs.
    But, I don't know how to make the check variant for detecting follwoing three patterns.
    SELECT * FROM
    SELECT * INTO
    SELECT SINGLE * INTO
    I guess I can use "Search for ABAP tokens" or "Search for ABAP statements paterns". But, It did'nt work because ' * ' represents any sequence of characters in the code inspector.
    Anyone can help me?

    I managed to set up the variant, however found a problem.
    I used "Search ABAP Statement Patterns" under "Search Functs" and set the pattern like followings.
    SELECT + INTO *
    SELECT SINGLE + INTO *
    However following statements were detected.
    SELECT * INTO TABLE IT_DRAW FROM DRAW.
    SELECT MANDT INTO TABLE IT_DRAW FROM DRAW.
    SELECT SINGLE * INTO TABLE IT_DRAW FROM DRAW.
    SELECT SINGLE MANDT INTO TABLE IT_DRAW FROM DRAW.
    It's because + means one ABAP token in the code inspector.
    Is there anyway to find only "SELECT SINGLE *" and "SELECT *" ?

  • ABAP Code Inspector

    Is there a way to confine the checks performed by Code Inspector to my
    program only?
    My program invokes much SAP-supplied code in the form of includes.  And
    the code inspector covers this code as well.  I am interested in seeing the
    results for my code only.

    Hello Gregory,
    Using the INCLUDE statement makes any coding part of the program for the compiler and most checks within the Code Inspector.
    Best Pratice is not to use/offer INCLUDES for reuse. If fury old code makes the inclusion mandatory then wrapping it in a resuse component. e.g. a function group is the next best solution.
    Best Regards
      Klaus

  • Let me know about the code inspector ?

    Hi
    Let me know about the code inspector ?
    thanks in advance

    hi
    The transaction for the code inspector is SCI / SCID. Code inspector generally used to check for Syntax Checks, Security checks and Performance checks.
    <b>Check these links on Code Inspector:</b>
    http://sap.ittoolbox.com/groups/technical-functional/sap-dev/abap-code-inspector-1441023
    /people/randolf.eilenberger/blog/2007/03/12/code-inspector146s-performance-checks-i
    /people/peter.inotai/blog/2006/11/02/code-inspector--how-to-create-a-new-check
    http://help.sap.com/saphelp_nw04/helpdata/en/56/fd3b87d203064aa925256ff88d931b/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/56/fd3b87d203064aa925256ff88d931b/frameset.htm
    <b>reward points for useful ans</b>
    Regards
    Aarti

  • Effcient use of Code inspector

    Hello there,
    I am currently struggling about how to use effectively ABAP code inspector(SCI).
    What I want to do is to convert the output result to excel like table format.
    Defaut output is based on tree view and very much difficult to use it locally.
    Any information is more than appreciated.
    Regards,
    Kazuya

    Hi,
    have you checked button Result list (CtrlShiftF11)? It converts tree view to list view. or you are looking for something more specific?
    Cheers

  • Code Inspector & ABAP UNIT Testclasses

    Hallo all,
    I am currently trying to implement automated checks using the code inspector. I especially want to see if all our developers use our naming conventions. Also, we use ABAP Unit tests. Unfortunately, the generated test classes are not compliant with our name conventions (And also these Test classes are not interesting to be checked).
    Now, I receive many warnings, mostly from the Unit test implementations.
    Now: Is there a way to exclude these local test classes from my object set?
    Thanks for you help!
    Best regards,
    Martin Imme

    Other language NUnit test frameworks similar to ABAP Unit (AUnit) commonly have project extensions for storing test results. These are useful for the unit level regression (did a new change break any existing functions). History of test results, help narrow down the nature of a current failure by answering the question of 'When did this break?' or when did it last pass? In systems dependent upon outside components the history can provide a pattern for occasional failures due to factors outside the system under test.
    I see that ABAP unit test results can be added into the Code Inspector under the Check Variant.
    1. Is it common or recomended to use the Code Inspector (SCI) to store AUnit test results?
    2. Is it common or recomended to use Code Inspector Object variants to collect individual AUnit tests for a regresssion style 'TestSuite'?
    3. What reporting or tools exists for Code Inspector history?
    4. Is Application Logging the better spot for AUnit results history?
    (also posted on the wiki.. apologies - I'm new to the forum and wiki)
    Will Loew-Blosser

  • What exactly is the function of code inspector

    Hi,
    Pelase let me know the function of code inspector and related transaction with it.
    Thanks in advance
    Regards
    Irfan Hussain

    Hi Irfan,
    The Code Inspector (transaction code SCI) is a tool for checking Repository objects regarding performance, security, syntax, and adherence to name conventions. You can also determine statistical information or search for certain ABAP words (tokens). In the Code Inspector, you can define inspections that, with the help of check variants, examine certain sets of objects. As the result of an inspection, you receive information messages, warning messages, or error messages on different properties of the examined objects.
    You can check the following link for details.
    http://help.sap.com/saphelp_erp2004/helpdata/en/56/fd3b87d203064aa925256ff88d931b/frameset.htm
    Thanks and Regards,
    Ashish.

  • SAP Code Inspector

    Hi Everyone,
    In our project we have a requirement to automate the code review checklist preparation to the maximum extent possible.
    Code Inspector has some standard checks included into it from which we can select the relevant checks for inspection purpose. My question is, whether we can customize it to add few more checks to meet our requirement or whatever standard check is there is the most we can have??????
    SAP Ver 4.6c.
    Any links to download relevant materials?
    Any one having any custom object build for this purpose they can share it.
    It would be of great help.

    Hi
    http://help.sap.com/saphelp_nw04/helpdata/en/56/fd3b87d203064aa925256ff88d931b/content.htm
    see tis link
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/50456d27-0a01-0010-ed95-ba71d8f0d74b
    http://searchsap.techtarget.com/loginMembersOnly/1,289498,sid21_gci918390,00.html?NextURL=http%3A//searchsap.techtarget.com/tip/0%2C289483%2Csid21_gci918390%2C00.html
    The Code Inspector (transaction code SCI) is a tool for checking Repository objects regarding performance, security, syntax, and adherence to name conventions. You can also determine statistical information or search for certain ABAP words (tokens). In the Code Inspector, you can define inspections that, with the help of check variants, examine certain sets of objects. As the result of an inspection, you receive information messages, warning messages, or error messages on different properties of the examined objects.
    You can check the following link for details.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-03/abap%20troubleshooting
    http://help.sap.com/saphelp_erp2004/helpdata/en/56/fd3b87d203064aa925256ff88d931b/frameset.htm
    <b>Reward if usefull</b>

  • About code inspector

    wt is code inspector?

    Hi,
    Code Inspector is SAP tool for the analysis of static ABAP code, data dictionary objects and other repository objects. The tool (transaction SCI) has a set of predefined performance checks that can help you to improve your code so as to optimize the performance of your program.
    --The Code Inspector is a tool for checking Repository objects regarding performance, security, syntax, and adherence to name conventions
    You can call the Code Inspector using transaction code SCI or through the menu path SAP Menu à Tools à ABAP Workbench à Test à Code Inspector. Also, you can call the Code Inspector from the following transactions:
    ABAP Dictionary (SE11) for DDIC tables
    Class Builder (SE24) for classes and interfaces
    Function Builder (SE37) for function groups
    ABAP Editor (SE38) for programs or reports
    ABAP Workbench (SE80)
    http://help.sap.com/saphelp_nw04/helpdata/en/56/fd3b87d203064aa925256ff88d931b/frameset.htm
    Regards,
    Laxmi.

  • Performance problem in ABAP code

    hai guys,
    I created report using tables like bsis,t001 etc,( tax report).
    I have performance problem in this report.
    COuld you pls tell me how to analyse the report and find out the place where process is taking more memory etc.
    i did abap trace and runtime analysis..but could not find out exact point.
    how to do this..
    i want to analysis each subroutine,internal table and query process.
    could you pls give me some ideas.
    ambichan

    There is an excellent tool available in SAP - <b>Code Inspector.
    </b>
    Transaction is SCII
    Try the following link and I am sure you will find a bunch of useful documents.
    <a href="http://www.google.co.in/search?hl=en&safe=off&q=site%3Asdn.sap.comfiletype%3ApdfCode+Inspector&btnG=Search&meta=">ABAP Performance</a>
    I use the Code Inspector to search for
    a) All the select statements which are present within the loop
    b) Nested Loops
    c) Select query without providing criteria for primary keys, depending upon situation
    d) Can the search be narrowed with extra conditions
    e) Using READ .. BINARY SEARCH if internal table has lots of records.
    The list is actually endless, but this is something to start with.
    You can actually have a checklist, and depending upon it, go through your code. The more you adhere to checklist, you will find that, the performance would dramatically improve.
    Also use <b>ST05</b> transaction, for SQL Trace and find out which select query is taking the maximum time for response.
    Regards,
    Subramanian V.

  • How can I modify data from a Transparent Table without ABAP code.

    Hi,All
    How can I modify data from a Transparent Table (like TCURR),  and important thing is I want do all that with no ABAP code here. It is like that we always do that in a Oracle database use TOAD or PLSQL third party tools, with no script code here.
    I had fond that there is a way can do that:
    1, type 'se11',and Display Database table 'TCURR', click Contents, then click Execute to display all data
    2, type '/h' and let debugging on
    3, select one of this data then click 'Display',enter in debugging system.
    4, then make a breakpoint in the code. But... display a dialog let I type a 'ABAP Cmnds', I want to know what can be type in for that?
    and, My system is ECC6.
    thank you all
    Edited by: xuehui li on Aug 20, 2008 6:30 PM

    Hello,
    Your approach (with Vijay's suggestion) MAY work.  However, depending on how tight security is at the company that you are working at you may or may not be able to acutaly change the value of the SHOW field to EDIT.  This will be especially true if you are working in a Production environment.  Vijay's other comment is true as well.  This is not a recommended approach to change data (especially data with a financial impact like TCURR) in a production environment.  The auditors will not be impressed.
    Explore the option of a maintenace view or look at tcode TBDM to upload a file which includes daily rates from providers like Reuters or try tcode s_bce_68000174 which is a maintenance view on TCURR.
    Regards
    Greg Kern

  • Differences between SLIN and Code Inspector

    Hi,
    Can anyone tell me the differences between SLIN and Code Inspector(SCI)..?
    and in which cases we use SLIN and  SCI..?
    and as an ABAPer, which one should we prefer..?
    Thanks,
    Pradeep.

    Hi
    Extended syntax check or SLIN is used to check the program in all aspects for the different syntaxes like
    When you use select single whether you have passed all the key fields or not>
    whether you have maintained the text elements texts or not,
    Have you used UNIT...CURRENCY along with the QTY and AMOUNT fields when displayed using the WRITE statement
    and check for all the varities of statements used in the code, and if there is some problem with that statement/command, it will display as error or warning.
    Check following links -
    slin
    can any one tell me abt SLIN T-CODE
    Reward points if useful
    Regards
    Anji

  • How to remove Unicode errors from extended check and code inspector

    Hi
    We are working on making all our ABAP program to make unicode compliant. We are activating unicode flag in attribute and correcting syntax errors. After this when we do the extended checks or SLIN or code inspector, usually giving error for many statements such as whenever there is message.
    <b>Code is :</b>message a208 with text-004.
    <b>Error description is</b> :
    The message 208 for id zz has no long text.
    You can hide this message using "#EC *
    208 is -   & does not exist in & &. And  text 004 is - Cannot open the output file
    By using #EC * we can remove errors. But Is this the correct way and what does this indicate? Please explain.

    Hi Yogesh,
    Can you check whether the message number 208 in message id ZZ has the Self Explanatory checkbox as checked or not? I think it is not checked and u have also not maintained any long text. Hence the error.
    By using #EC - you do not remove the error, however u hide it from SLIN.
    It is used if there is some known error you cannot avoid which is returned by SLIN and you dont want it to be reported. Also, a way to "cheat" the reviewer who might be checking for errors.
    Not good !! 
    Regards,
    Aditya

  • Checking naming convention of internal tables in code inspector

    Can anyone please explain how in the code inspector can I check names of internal tables (like it_) that I use in a report program ? I know that I can specify it_ in Programming Convention -> Naming Convention->Program Global -> Data but this entry is not specific to internal tables as it also applies to variables and work areas. Apart from this is there any entry I can maintain in the Extended Naming Conventions for Programs(introduced in ECC 6.0)? Kindly reply at the earliest.

    Hi,
    Check these links for implementing the custom conventions in the code inspector
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/how%20to%20build%20a%20new%20check%20for%20the%20code%20inspector
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/abap/evaluating%20the%20quality%20of%20your%20abap%20programs%20and%20other%20repository%20objects%20with%20the%20code%20inspector
    hope it helps you.
    Thanks!

Maybe you are looking for

  • Import statement error as SYSDBA

    Hi, As I need to use Sys user as SYSDBA, the syntax through an error which given below. Kindly come up with Correct syntax to use SYS user as SYSDBA while import the dump. c:\>imp userid=sys/sys@orcl AS SYSDBA file=exp_db.dmp log=imp_sct.log fromuser

  • Adobe Photoshop CS5 won't launch after Mac update

    I updated my mac yesterday to Maverick and now Adobe Photoshop CS5 won't launch.  Can you tell me what files I need to delete to get it to launch.  I tried reinstalling it, and that didn't help. thanks

  • How to know if firefox is using a master password from a some programming language?

    I am working in a security check project and I need know from an programming language or open some file if firefox is using a master password.

  • Does it make sense for kernel_task process to use hundreds of MB of RAM?

    I'm not terribly knowledgeable about the UNIX heart of the Mac OS, but I have been troubled by this quirk on my machine for a while now. I can't figure why the kernel_task process on my machine seems to take triple the "Real Memory" as it does on eve

  • Invoice List  Header text

    Hi, Can any body please let me know the Invoice List text Determination? Presently, My Invoice list screen is showing the Header text tab is disable, if possible please let me know how to do enable so that I can enter into the Text. Thanks & Regards,