Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

ABAP2XLS installation security

tafkap95
Participant
928

Hello,


The company that employs me is interested in using the ABAP2XLS project but is very cautious about using external source code, it would like to be sure of the origin of this source code when it is downloaded. Does SAP officially support this ABAP2XLS project? How can I reassure my client?


Thanks a lot for your help.

6 REPLIES 6

FredericGirod
Active Contributor
782

It is external source code available on GitHub

The code has to be reviewed by yourself

abo
Active Contributor
782

Had SAP supported XLSX natively, you wouldn't need an external package 🙂

Anyway, what are you worried about? There is only one OPEN DATASET statement and it is used to read an external XLSX file which is then handled with official SAP classes to unpack and process the XML nodes within.

There are no calls to "business" transactions nor application table accesses, the thing works on the MiniSAP demos which DO NOT have them.

Sandra_Rossi
Active Contributor
782

It's a good question because Open Source doesn't mean secured. It just means that anybody can check the content of the source code. There is no certification by a certification authority. The ABAP community being quite passive in participating to the code, if I didn't know abap2xlsx well, I would make an audit by a trusted company before using it.

matt
Active Contributor
782

It almost certain that your client is using open source code all over the place. E.g. if you're developing using ADT/Eclipse. So conceptually abap2xlsx is no different.

Any code - whether developed directly on the system, or imported from a git repository - should be checked for security issues. At the very least use the checks built into SCI. There are also SAP Partners who will sell software that does even more checks than SCI.

I easily got permission to put abap2xlsx into a company in a highly regulated industry. There was a clear business need for it. That's probably the biggest "reassurance" the client is likely to need. Either install abap2xlsx or waste thousands of dollars re-inventing the wheel.

tafkap95
Participant
0 Kudos
782

Thank you all for your responses.

What I did on my side - and tell me if it makes sense for you too - is to pass the abap2xls code in the SCII transaction with the security variants SECURITY_CHECK_ALL which check a set of important points.

0 Kudos
782

I guess there are two topics in "The company [...] is very cautious about using external source code".

One part is about security vulnerabilities, another part is about malicious parts.

The security variants helps you identify where you might have security vulnerabilities in your programs written "honestly", but doesn't detect malicious parts in a software which have been written to intentionally harm.