2022 Dec 15 7:52 AM
Hello,
The company that employs me is interested in using the ABAP2XLS project but is very cautious about using external source code, it would like to be sure of the origin of this source code when it is downloaded. Does SAP officially support this ABAP2XLS project? How can I reassure my client?
Thanks a lot for your help.
2022 Dec 15 7:58 AM
It is external source code available on GitHub
The code has to be reviewed by yourself
2022 Dec 15 8:13 AM
Had SAP supported XLSX natively, you wouldn't need an external package 🙂
Anyway, what are you worried about? There is only one OPEN DATASET statement and it is used to read an external XLSX file which is then handled with official SAP classes to unpack and process the XML nodes within.
There are no calls to "business" transactions nor application table accesses, the thing works on the MiniSAP demos which DO NOT have them.
2022 Dec 15 8:57 AM
It's a good question because Open Source doesn't mean secured. It just means that anybody can check the content of the source code. There is no certification by a certification authority. The ABAP community being quite passive in participating to the code, if I didn't know abap2xlsx well, I would make an audit by a trusted company before using it.
2022 Dec 15 9:48 AM
It almost certain that your client is using open source code all over the place. E.g. if you're developing using ADT/Eclipse. So conceptually abap2xlsx is no different.
Any code - whether developed directly on the system, or imported from a git repository - should be checked for security issues. At the very least use the checks built into SCI. There are also SAP Partners who will sell software that does even more checks than SCI.
I easily got permission to put abap2xlsx into a company in a highly regulated industry. There was a clear business need for it. That's probably the biggest "reassurance" the client is likely to need. Either install abap2xlsx or waste thousands of dollars re-inventing the wheel.
2022 Dec 15 4:13 PM
Thank you all for your responses.
What I did on my side - and tell me if it makes sense for you too - is to pass the abap2xls code in the SCII transaction with the security variants SECURITY_CHECK_ALL which check a set of important points.
2022 Dec 15 7:05 PM
I guess there are two topics in "The company [...] is very cautious about using external source code".
One part is about security vulnerabilities, another part is about malicious parts.
The security variants helps you identify where you might have security vulnerabilities in your programs written "honestly", but doesn't detect malicious parts in a software which have been written to intentionally harm.