SAP Code Vulnerability Analyzer

Security is no longer considered a luxury for IT systems. Your custom applications written in ABAP are a target for cyber attacks. A successful cyber attack can lead to loss of confidential customer- and company data, information about business processes; it can ruin your company's reputation and even entail legal consequences and incur financial penalties. SAP Code Vulnerability Analyzer is a static code scanning tool that helps you to identify and fix security vulnerabilities in your ABAP coding before you even deploy it to customers. CVA is available both in the Cloud and on-premise. The Cloud solution is part of ATC (ABAP Test Cockpit) and comes with BTP ABAP Environment. Pricing is based on CPEA (Cloud Platform Enterprise Agreement) or PAY-AS-YOU-GO. It does NOT require a CVA license. The on-premise solution requires a CVA license based on the number of users. The Cloud solution has a number of benefits compared to on-premise: - CVA on BTP is always up-to-date so it has the latest checks. - CVA on BTP does not require a CVA license. It requires only BTP ABAP Environment which is generally cheaper. - CVA on BTP allows the analysis of usage data so you can identify code that is rarely or never used. - The setup time for CVA on BTP is shorter. - CVA on BTP runs on BTP ABAP Environment. Once you have this you can also use it for all sorts of other things such as Custom Code Analysis für S/4HANA, BTP ABAP Environment Migration, developing ABAP coding on BTP for innovative use cases and so on.

Technical Infrastructure

CVA in SAP S/4HANA Cloud Private Edition or SAP S/4HANA

CVA checks for developments in SAP S/4HANA Cloud Private Edition or SAP S/4HANA are based on remote ABAP Test Cockpit (ATC) and can be executed

CVA in SAP BTP ABAP Environment

CVA checks for developments in SAP BTP ABAP Environment do not require any additional license and are based on local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks.

For details, see the blog: Usage of ABAP Test Cockpit (ATC) for developments in SAP BTP ABAP Environment

CVA in SAP S/4HANA Public Cloud Edition

CVA checks for developments in SAP S/4HANA Public Cloud Edition do not require any additional license and based on a local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks. For details, see the blog: Usage of ABAP Test Cockpit in the SAP S/4HANA Cloud Public Edition

A selection of important blogs

Here you can find a number of blogs central to understanding Code Vulnerability Analyzer.