You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Contents:

 

Related pages:

 

Welcome to SAP Extractor for Kiuwan (SAPEX)

 

To analyze ABAP code in Kiuwan, source code and information from SAP system need to be exported previously to be analyzed by Kiuwan.

SAP Extractor (SAPEX) for Kiuwan performs these tasks.

 

NOTE: SAPEX is expected to run in any SAP NetWeaver 7.2+ platform.

Contact Kiuwan Technical Support Kiuwan Support for previous platform versions.


Introduction

In order to execute any Kiuwan analysis, you must first indicate where the source code is located.

This first step seems trivial when you are working with a file system or with any source code repository, but it’s not so when you are working with SAP.

ABAP code is located within SAP Server, so you should first extract ABAP code and let Kiuwan know the location of the extracted info.

After extracting the ABAP code, Kiuwan will be ready to analyze it.

Kiuwan lets you implement two different approaches on the location where the ABAP code is analyzed

You can execute the Kiuwan analyses at two different locations:

  • within the SAP server (local), or
  • from within an external server (remote)

Additionally, you can analyze:

  • manually, or
  • automatically

This way, Kiuwan will scan the code and deliver to you the analysis results.

Depending on your development life cyle you may have different needs.

Sometimes you will need to analyze a complete package, while other times you will only need to analyze a transport order.

Kiuwan allows you to fully integrate the analyses within your custom development life cycle by providing different types of analyses:

  • baseline analyses: a specific version of an application that is relevant enough to be considered as a reference to track further changes on it
  • deliveries analyses: a new distribution of the application that contains changes to the baseline, due to corrective or evolutive maintenance
    • based on scope - partial vs completeand
    • based on completion status  - resolved vs in progress 

Please visit Kiuwan Life Cycle Doc for complete information.


Therefore,  the approach to integrate SAP and Kiuwan consists on

  • To decide where should be run the Kiuwan analyses:
    • local (within the SAP server)
    • remote (within any other server of yur installation)
  • Proceed to SAPEX installation accroding to the possible scenarios (local or remote)
  • Run the ABAP code extraction mechanisms
  • Execute the Kiuwan analyses 
    • Baselines for packages
    • Deliveries for transport orders

 

 

How it works

 

When SAPEX components (programs, function modules, support classes, OS commands) are installed on the target SAP system, the user may perform the following operations:

 
  • Extract source code 
    • Either by running a program within SAP server (ZKW_SAPEX_CODE) , or remotely (using the sapexCode.xml script), extracted code can be analyzed with Kiuwan Local Analyzer
    • The code elements to extract could be based on transport requests / tasks, packages, and the type and name of the element (programs, function modules, classes, web dynpro components, etc.)
 
  • Extract system information ("metadata")
    • Metadata are used by Kiuwan rules to search for defects and vulnerabilities
    • For example, to ensure that authorization is performed properly, information about authorization objects and authorization groups (extracted from TOBJ and TDDAT tables) is used by many security checks in Kiuwan. 
    • Metadata extraction could be performed either by running a program within SAP Server (ZKW_SAPEX_METADATA) , or remotely (using the sapexMetadata.xml script).
 

  • Perform analysis on extracted source code

    • Within a SAP system with Kiuwan Local Analyzer deployed, by running the ZKW_ANALYSIS program. It offers the possibility for extracting source code before analysis.

 

  • Add automated audits before releasing changes

    • SAP's Change and Transport System (CTS) may register an implementation for the CTS_REQUEST_CHECK 'classic' BAdI

    • Source code extraction, analysis and evaluation of audit checkpoints may be performed before accepting (or rejecting) the release of a change request / task, according to organizational quality and security standards.

 


  • No labels