SAP Code Vulnerability Analyzer
Security is no longer considered a luxury for IT systems. Your custom applications written in ABAP are a target for cyber attacks. A successful cyber attack can lead to loss of confidential customer- and company data, information about business processes; it can ruin your company's reputation and even entail legal consequences and incur financial penalties. SAP Code Vulnerability Analyzer is a static code scanning tool that helps you to identify and fix security vulnerabilities in your ABAP coding before you even deploy it to customers. CVA is available both in the Cloud and on-premise. The Cloud solution is part of ATC (ABAP Test Cockpit) and comes with BTP ABAP Environment. Pricing is based on CPEA (Cloud Platform Enterprise Agreement) or PAY-AS-YOU-GO. It does NOT require a CVA license. The on-premise solution requires a CVA license based on the number of users. The Cloud solution has a number of benefits compared to on-premise: - CVA on BTP is always up-to-date so it has the latest checks. - CVA on BTP does not require a CVA license. It requires only BTP ABAP Environment which is generally cheaper. - CVA on BTP allows the analysis of usage data so you can identify code that is rarely or never used. - The setup time for CVA on BTP is shorter. - CVA on BTP runs on BTP ABAP Environment. Once you have this you can also use it for all sorts of other things such as Custom Code Analysis für S/4HANA, BTP ABAP Environment Migration, developing ABAP coding on BTP for innovative use cases and so on.
Getting Started
Technical Infrastructure
CVA in SAP S/4HANA Cloud Private Edition or SAP S/4HANA
CVA checks for developments in SAP S/4HANA Cloud Private Edition or SAP S/4HANA are based on remote ABAP Test Cockpit (ATC) and can be executed
- without any additional fee using ATC on SAP BTP. For details, see the blog Usage of ABAP Test Cockpit (ATC) in the cloud for on-premise developments.
- under separate CVA licensing using remote ATC on-premise with Remote code analysis with ATC
CVA in SAP BTP ABAP Environment
CVA checks for developments in SAP BTP ABAP Environment do not require any additional license and are based on local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks.
For details, see the blog: Usage of ABAP Test Cockpit (ATC) for developments in SAP BTP ABAP Environment
CVA in SAP S/4HANA Public Cloud Edition
CVA checks for developments in SAP S/4HANA Public Cloud Edition do not require any additional license and based on a local ABAP Test Cockpit (ATC) and a dedicated ATC check variant containing CVA checks. For details, see the blog: Usage of ABAP Test Cockpit in the SAP S/4HANA Cloud Public Edition
A selection of important blogs
Here you can find a number of blogs central to understanding Code Vulnerability Analyzer.