You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Contents:

Related pages:

Content by label

There is no content with the specified labels

 

Welcome to SAP Extractor for Kiuwan (SAPEX)

 

To analyze ABAP code in Kiuwan, source code and information from SAP system need to be exported previously to be analyzed by Kiuwan.

Kiuwan SAP Extractor (SAPEX) performs these tasks.

 

NOTE: SAPEX is expected to run in any SAP NetWeaver 7.2+ platform.

Contact Kiuwan Technical Support Kiuwan Support for previous platform versions.

 

How it works

When SAPEX components (programs, function modules, support classes, OS commands) are installed on the target SAP system, the user may perform the following operations:

  • Extract source code 
    • Either by running a program within SAP server (ZKW_SAPEX_CODE) , or remotely (using the sapexCode.xml script), extracted code can be analyzed with Kiuwan Local Analyzer
    • The code elements to extract could be based on transport requests / tasks, packages, and the type and name of the element (programs, function modules, classes, web dynpro components, etc.)
  • Extract system information ("metadata")
    • Metadata are used by Kiuwan rules to search for defects and vulnerabilities
    • For example, to ensure that authorization is performed properly, information about authorization objects and authorization groups (extracted from TOBJ and TDDAT tables) is used by many security checks in Kiuwan. 
    • Metadata extraction could be performed either by running a program within SAP Server (ZKW_SAPEX_METADATA) , or remotely (using the sapexMetadata.xml script).

  • Perform analysis on extracted source code

    • Within a SAP system with Kiuwan Local Analyzer deployed, by running the ZKW_ANALYSIS program. It offers the possibility for extracting source code before analysis.

  • Add automated audits before releasing changes

    • SAP's Change and Transport System (CTS) may register an implementation for the CTS_REQUEST_CHECK 'classic' BAdI

    • Source code extraction, analysis and evaluation of audit checkpoints may be performed before accepting (or rejecting) the release of a change request / task, according to organizational quality and security standards.

 

 

Introduction

In order to execute any Kiuwan analysis, you must first indicate where the source code is located.

This first step seems trivial when you are working with a file system or with any source code repository, but it’s not so when you are working with SAP.

ABAPcode is located within SAP Server, so you should first extract ABAP code and let Kiuwan know the location of the extracted info.

After extracting the ABAP code, Kiuwan analysis is ready to be executed (manually or automatically).

This way, Kiuwan will scan the code and deliver to you the analysis results.

Depending on your development life cyle you can have different needs.

Sometimes you will need to analyze a complete package, while other times you will only need to analyze a transport order.

Kiuwan allows you to fully integrate the analyses within your custom development life cycle by providing different types of analyses:

  • baseline analyses: a specific version of an application that is relevant enough to be considered as a reference to track further changes on it
  • deliveries analyses: a new distribution of the application that contains changes to the baseline, due to corrective or evolutive maintenance
    • based on scope - partial vs completeand
    • based on completion status  - resolved vs in progress 

Please visit Kiuwan Life Cycle Doc for complete information.



Follows the approach to integrate SAP and Kiuwan

  • First, we will concentrate on extracting ABAP code and executing Kiuwan (from within SAP server) for baselines.
  • Then, we will deal with deliveries.

 

 

Modeling ABAP code in Kiuwan

Previously to describe the extraction and operative mechanisms, you should think of how to model Abap code into Kiuwan.


Kiuwan always works with the concept of application.

In Kiuwan terms, an application is the analysis unit, i.e. a set of source code files that has some functional meaning for you and, consequently, needs to be analyzed as a whole.


Once you define a Kiuwan application, you indicates Kiuwan the source root directory, i.e. the directory that contains the source code files of that application.

Kiuwan will analyze those source code files as a unit, providing comprehensive results.

Besides, you can always govern you applications by organizing them by portfolios that define the real dimensions that are important for you and your organization.

 

There are as many ways to model that relationship as Kiuwan's users and organizations. Nevertheless, we suggest an approach that has been proven very useful and adequate in Kiuwan implantations on SAP systems.

This approach consists on modeling a SAP package as a Kiuwan application.

Doing this way, there is a direct relationship between SAP functional units and Kiuwan applications.



In this documentation you will find procedures to execute baseline and deliveries analyses, but please remember that explained procedures are based on mapping “SAP Package” to “Kiuwan Application”.

If this assumption is not applicable to your case, please contact us.

 

Overall procedure

The procedure to fully integrate Kiuwan with your SAP system takes two main steps:

  1. To install some Kiuwan utilities into your SAP system that will be used during operation

  2. Run the adequate procedures depending on your operative needs

    1. Create and analyze application Baselines

    2. Run automatically Kiuwan analyses on Change Requests

 

Our further explanation we will based in these two main operatives

  • first describing the procedure to install the Kiuwan utilities and,
  • explaining how to perform those different kinds of analyses.

 

Procedures that follow are the most common ways to operate SAP and Kiuwan.



QUITARLOOOOOOO !!!!!!!!


Nevertheless, if you are an integrator or an external consultant just using Kiuwan, you might consider to analyze ABAP code entirely from outside the ABAP server, without the need to ever connect to SAP system or SAP server.

If this is you case, i.e. to remotely connect to SAP server to extract locally ABAP code, you might consider to use SAP JCO Connector.

Please visit https://www.kiuwan.com/blog/abap-continuous-analysis-with-kiuwan/ for further info on how to use this approach.


LOCAL Baseline analysis

LOCAL Baseline ABAP source extraction

As we above mentioned, it’s suggested to model a SAP package as a Kiuwan application. Therefore, we will use this approach during our explanation.

Abap Code Extractor form allows to extract SAP objects to a defined path within the SAP server.  The extraction mechanism will download SAP objects related to the SAP package they belong.

 Abap Code Extractor form will create a directory for every package where all the pertaining objects will be placed. As you will see below, you can define exactly what objects to extract.


IMPORTANT: Abap Code Extractor does not delete previous content of extraction directory. So, you need to delete it before a new extraction.

After the extraction finishes, you will have to run Kiuwan (in this step Kiuwan is not automatically invoked).  Because there will be a directory for every downloaded package, you can model application names with the same names as the packages, and configure every app’s source directory to the package directory.

See below for an example of extracted directory structure.


Abap Code Extractor downloads following object types:

  • Function modules

  • Classes

  • Programs

  • Screens

Abap Code Extractor presents the following sections:

  • Additional downloads

    • This option allows to select to download also the screens associated to objects (see “Objects to download” section)

  • Download parameters

    • Physical path where the extractor will download requested objects (of the directory does not exists the extractor will create it)

  • Display options

    • Display download report (a final report with all the downloaded objects)

    • Display progress message (a progress message of the download process)



  • Objects to download (multiple selection)


  • Checks at the left are used to select the type of objects to export.

  • Package specification applies to the objects to download. Only objects belonging to selected packages are downloaded. In no range is specified, objects from any package will be returned.

  • For every type, there are “From” and “To” ranges.  

    • If nothing is specified in the ranges, all the objects are downloaded.  

    • Range text boxes admit (*) wildcard to match any set of characters.

    • If only From range is specified, only objects matching from expression will be returned

    • If From and To ranges are specified, all objects names alphabetically contained in the range will be returned.


 

For example, let’s suppose that we indicate /SAP_KLA_SHARED/baseline as download path.  Then, we want to extract code for function name ABAD0_CHECK_ACCESS_ROUTINES, so we check “Function modules” and write exact name in From field.

The created directory structure is the following

 

  • / SAP_KLA_SHARED/baseline                                                                        [download root directory]

    • ABADR                                                                                                   [package name]

      • ABAD0_CHECK_ACCESS_ROUTINES                                     [function name directory]

        • ABAD0_CHECK_ACCESS_ROUTINES.abap                  [ABAP source code]

 

 

Once you have extracted Abap source code, you can execute Kiuwan Local Analyzer on extracted source code.

Execution of Kiuwan Local Analyzer can be done externally (i.e. by invoking KLA either by GUI or Command-Line Interface) or can be run internally from within SAP environment. 

What follows are the instructions to execute the Kiuwan analysis from within the SAP environment.


Kiuwan execution from within SAP environment

To execute Kiuwan Local Analyzer from within SAP environment you can either create a “External Command” or call directly WS_EXECUTE.


Kiuwan execution from External Command

Use SM69 to create a SAP command called Z_KLA_AGENT that will contain the specific Kiuwan script to execute analyses in the underlying operating system (agent.cmd in Windows, agent.sh in Linux/Unix)

 


 

Kiuwan execution from WS_EXECUTE

Below is an example of a program using WS_EXECUTE to run Kiuwan Local Analyzer.

 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

*&---------------------------------------------------------------------*

*& KIUWAN_LOCAL_ANALYZER

*& runs the kiuwan local analyzer

*&---------------------------------------------------------------------*

FORM KIUWAN_LOCAL_ANALYZER

  USING l_appname TYPE string

  l_source_code_dir TYPE string.

 

  write: / ' KIUWAN_LOCAL_ANALYZER...'.

 

  DATA l_commandline TYPE string.

  CONCATENATE '-n' l_appname '-c' '-s' l_source_code_dir INTO l_commandline SEPARATED BY space.

 

  CALL FUNCTION 'WS_EXECUTE'

  EXPORTING

    CD = 'C:\KiuwanLocalAnalyzer\bin'

    COMMANDLINE = l_commandline

    PROGRAM = 'agent.cmd'

  EXCEPTIONS

    FRONTEND_ERROR = 1

    NO_BATCH = 2

    PROG_NOT_FOUND = 3

    ILLEGAL_OPTION = 4

    GUI_REFUSE_EXECUTE = 5

    OTHERS = 6 .

 

  IF SY-SUBRC <> 0.

    MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

    WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

  ENDIF.

ENDFORM.

 

Diagram for Baseline Analysis

 

Deliveries analysis

Below are explained the mechanisms for extracting ABAP code and automatically executing Kiuwan.

Different mechanisms are provided for “Resolved” and “In progress” deliveries.

Resolved deliveries

Resolved deliveries extractor installation 

Implemented Kiuwan approach consists on a “classic BAdI” to perform the Kiuwan analysis before “release” a request.

 In order to register the classic BAdI you must follow below steps:

  1. Go to SE19

  2. In “Create implementation” box select “Classic BAdI” and enter “CTS_REQUEST_CHECK” as its name.

  3. Set “Implementation Name” to Z_CTS_REQUEST_CHECK

  4. Provide a description short text and save it.

 

  1. In the Properties tab, select the Package where this implementation will be added

  2. In the Interface tab, double-click the method “CHECK_BEFORE_RELEASE” and substitute the existing code for the content of ZCL_IM_KWN_REQUEST_CHECK.abap and press Save.

  3. Go backwards and activate the BAdI


Kiuwan execution of Resolved Deliveries

This use case considers Requests analyses in pre-Release phase.

Request’s tasks should have been previously released and the Kiuwan analysis will be executed at the moment to invoke Release to the Request. Kiuwan analysis will be automatically executed without any intervention of the user. The label of the Kiuwan delivery analysis will be a timestamp obtained from the SAP server where the analysis is executed.

If downloaded SAP objects belong to different packages, directories will be created for any package and a Kiuwan analysis will be executed for any package, mapping the Package name to the Kiuwan Application name.

User will be informed of execution results of the whole chain of analyses.  If any Kiuwan analysis fails (because some technical error or because the Audit fails), the user will be informed, as well as in the case the analysis does not have any analyzable component.

Kiuwan analyses results can be inspected into Kiuwan dashboards by following the URL displayed in the SAP console.


Next example shows how to release a Request:

  1. First, you must release the Task

  1. Then, release the Request. This will automatically execute the Kiuwan analysis and feedback will be provided on the execution result.

  1. In this example, the Audit has failed (i.e. the conditions the analysis must satisfy have not been met). You can go to Kiuwan to see the reasons and details.

  1. Because the Audit failed, the SAP Request was not released


Diagram for resolved analysis


In-Progress deliveries

In-Progress deliveries extractor installation

Implemented Kiuwan approach consists of:

  • Three functions (Z_KWFN_*)

    • Z_KWFN_OT_ANALYSIS

    • Z_KWFN_ABAP_EXTRACTOR

    • Z_KWFN_EXTRACT_TOC ,

  • One report

    • Z_KIUWAN_OT_ANALYSIS


First, use SM69 to create a SAP command called Z_KLA_AGENT that will contain the specific Kiuwan script to execute analyses in the underlying operating system (agent.cmd in Windows, agent.sh in Linux/Unix)


Then, use SM69 to create a SAP command called ZDTX_RMDIR that will contain the specific command to recursively remove directories in the underlying operating system.


Once you have created above commands, you should install the provided functions. Next follows example to create one of them.

  1. Use SE80 to create a function group (in our example Z_KWFN) 

  1. In the TOP INCLUDE of the function group you should create the constant basedir (that is set to download path) and the global variable slashSeparator 

  1. Path specified by basedir must exists in SAP server and have rwx  permissions for the user running SAP.

  2. Create the function Z_KWFN_OT_ANALYSIS

  1. Fill Export/Import/Tables tabs with values described in each function source file

  1. Last, paste the source code provided into the Source Code tab

  1. Once created the function group and the three functions, you need to activate the function group.

In order to create the report Z_KIUWAN_OT_ANALYSIS, please follow the above described procedure to create Z_ABAP_EXTRACTOR report.

Last step is to create a zsci message class with the following content for every message (please see messageclass-zsci.txt):


Kiuwan execution of In-Progress Deliveries

To specify the Request or Task Id you need to analyze, you should use Z_KIUWAN_OT_ANALYSIS report.

  • CR_ID

    • SAP Request or Task ID (this value will be used as Change Request name in Kiuwan delivery analysis)

  • LABEL

    • An arbitrary text that will be used as Label in Kiuwan delivery analysis)

This will automatically execute the Kiuwan analysis.

Please visit Resolved Deliveries section for details on execution, feedback and results.


Diagram for Delivery In Progress




  • No labels