SAP Code Vulnerability Analyzer

Security is no longer considered a luxury for IT systems. Your custom applications written in ABAP are a target for cyber attacks. A successful cyber attack can lead to loss of confidential customer- and company data, information about business processes; it can ruin your company's reputation and even entail legal consequences and incur financial penalties.

SAP Code Vulnerability Analyzer (CVA) is a static code scanning tool that helps you to identify and fix security vulnerabilities in your ABAP code before you even deploy it to customers.

SAP CVA is available both in the cloud on SAP Business Technology Platform (BTP) and on-premise.

The cloud solution is part of ABAP Test Cockpit (ATC) and comes with SAP BTP ABAP Environment. Pricing is based on CPEA (Cloud Platform Enterprise Agreement) credits or Pay-As-You-Go. It does NOT require a separate SAP CVA license.

The on-premise solution requires a SAP CVA license based on the number of users.

The cloud solution has a number of benefits compared to on-premise:

• SAP CVA on SAP BTP is always up-to-date so it has the latest checks.
• SAP CVA on SAP BTP does not require a SAP CVA license. It requires only SAP BTP ABAP Environment which is generally cheaper.
• SAP CVA on SAP BTP allows the analysis of usage data so you can identify code that is rarely or never used.
• The setup time for SAP CVA on SAP BTP is shorter.
• SAP CVA on SAP BTP runs in SAP BTP ABAP Environment. Once you have this you can also use it for all sorts of other things such as custom code analysis for SAP S/4HANA, for ABAP Cloud or for SAP BTP ABAP Environment migration, developing ABAP coding on SAP BTP for innovative use cases and so on.

SAP CVA in SAP S/4HANA Cloud Private Edition or SAP S/4HANA

SAP CVA checks for developments in SAP S/4HANA Cloud Private Edition or SAP S/4HANA are based on remote ABAP Test Cockpit (ATC) and can be executed

• without any additional fee using ATC on SAP BTP. For details, see the blog Usage of ABAP Test Cockpit (ATC) in the cloud for on-premise developments.
• under separate CVA licensing using remote ATC on-premise with Remote code analysis with ATC

SAP CVA in SAP BTP ABAP Environment

SAP CVA checks for developments in SAP BTP ABAP Environment do not require any additional license and are based on local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks.

For details, see the blog: Usage of ABAP Test Cockpit (ATC) for developments in SAP BTP ABAP Environment

SAP CVA in SAP S/4HANA Public Cloud Edition

SAP CVA checks for developments in SAP S/4HANA Public Cloud Edition do not require any additional license and based on a local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks.

For details, see the blog: Usage of ABAP Test Cockpit in the SAP S/4HANA Cloud Public Edition

Overview slides about SAP CVA

SAP CVA on one slide

In the blog you can find a list of SAP Code Vulnerability Analyzer checks

SAP CVA checks

Most security issues in ABAP programs are caused by because input injected into a program from outside, here are some examples

Examples: Security Risks Caused by Input from Outside

In this blog you can find a collection of most frequently asked questions and answers

SAP CVA -FAQs

• ABAP Keyword Documentation - ABAP Security Notes
• Guide: Remote custom code analysis using the Custom Code Migration app