Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
This document tries to answer the most important questions about the Remote Code Analysis in ABAP Test Cockpit (ATC).

With the SAP NetWeaver AS ABAP 7.51 innovation package SAP customers and partners can perform Remote Code Analysis in ATC which allows to analyze remotely with the latest checks custom code even in older systems using only one system for ATC (SAP_BASIS >= 7.51).

For more information about Remote Code Analysis in ATC please take a look at the Remote Code Analysis in ATC – One central check system for multiple systems on various releases.

If you have common questions, which should be answered in this collection, you can propose them here, in case you are interested to discuss more specific topics please take part at the forum/discussions.

Frequently Asked Questions

General Setup

ATC and Code Vulnerability Analyzer (CVA)

ATC and Solution Manager

Core Concepts

ATC and ABAP Development Tools (ADT)

Frequently Asked Questions


General Setup


What are the total license costs for the initial setup of ATC including the new SAP NetWeaver AS for ABAP 7.51 or 7.52 system? Do we have to extend every developer license?

ABAP Test Cockpit is part of the SAP NetWeaver license. Since the ATC central check system acts only as runtime system for the ATC checks, there are no additional license costs.

The prerequisite for the additional security checks is the installation of SAP NetWeaver AS, add-on for Code Vulnerability Analysis (CVA) which is the separate fee-based product with additional license costs.

Do we really need one extra system for only running ATC? Do we need then one central ATC for all systems in the system landscape?

We recommend to setup one extra system for ATC. This system can check with ATC multiple systems in your landscape.

Do I need to implement any special SAP Note in older SAP systems?

Yes, you need to implement the SAP Note 2270689 in older SAP Systems. For the future developer scenario you will need to implement further SAP Notes, which will be provided later.

 

ATC and Code Vulnerability Analyzer (CVA)


Do we need to pay separate license costs for security checks?

Yes. SAP NetWeaver AS, add-on for Code Vulnerability Analysis (CVA) is the separate fee-based product with additional license costs.

Further information about CVA is on the SAP Community Wiki:  SAP NetWeaver Application Server, Add-On for Code Vulnerability Analysis

What does Code Vulnerability Analysis (CVA) deliver additionally to ATC?

ATC provides general check infrastructure including standard checks for functional correctness and performance. CVA delivers additional security checks, which can be integrated into ATC.

 

ATC and Solution Manager


Can I reuse our SAP Solution Manager system for setting up the ATC central system there?

We recommend a really new system as ATC central system. The Solution Manager is currently based on a low SAP NetWeaver release (SolMan 7.2 is based on SAP NetWeaver 7.4). The minimum release for the central ATC system is SAP NetWeaver AS ABAP 7.51. Besides this you would need to upgrade Solution Manager system each time you want to apply new ATC checks, that is the unnecessary effort.

What about the integration into the ChaRM prozess? Can I track the ATC check results in the Solution Manager?

Yes, the ATC is integrated into the ChaRM process. Just with the Solution Manager 7.2 the display of ATC results was improved. When the request is released by ChaRM, the results are displayed in the Solution Manager.

See also how ATC checks are integrated into the ChaRM in the Solution Manager 2.0 documentation on SAP Help Portal

Can I set the central ATC system equal to the central CCLM system?

Since the CCLM system is currently based on the Solution Manager, you cannot set the central ATC system equal to the central CCLM system.

ChaRM: Is it possible to run ATC checks at status change to "To Be Tested" analogous to "Critical Objects"?

The ATC checks run automatically only if the status is set to „Successfully Tested“(during release of original tasks). But you can also run ATC checks any time on demand (is possible starting with Solution Manager 7.2 SP3)

 

Core Concepts


Is it possible to check only new ABAP code during transport release in Transport Management System and let the old ABAP code pass?

By making use of the baseline in the ATC, findings in old ABAP code can be excluded. Only when new findings are added or if ABAP statements are changed within the old findings, these findings will be reported again. The baseline concept is available with SAP NetWeaver AS ABAP 7.51 innovation package. See also the SAP Community blog Remote Code Analysis in ATC – Working with Baseline to suppress findings in old legacy code.

Can the ATC check runs be planned periodically?

Yes, the ATC check runs can be planned periodically on the ATC central system. For more information see Scheduling Run Series in the Central System  on the SAP Help Portal.

Can the ATC checks be integrated into the standard syntax check?

No, it is currently not possible. However, we plan to integrate the ATC into the activation process so that the current ATC results are obtained after the activation of an ABAP object.

Is the state of the approvals held on the ATC central check system or on the local checked system?

On the ATC central check system.

How is the finding exactly referenced (code or source code line)?

A hash (from the code) is generated for each result. As long as it does not change, the line can also move.

How expensive are remote ATC checks with respect to memory usage, execution time etc.?

During an ATC check run, an object model is created in the checked system and transferred to the ATC central check system. The various checks are performed on this model in the ATC central check system. The object models are stored in a cache to minimize the time taken to create and transfer the model.

Memory consumption is strongly dependent on the number and complexity of the objects to be checked.

What about release dependent ATC checks? Various AS ABAP releases may contain different ABAP statements and commands, which must be checked differently.

This release dependency is taken into account in the ATC checks and explained in the checks documentation.

The ATC can be configured so, that it will run during transport release and the transport request will not be released in case of errors or warnings. Is this automatic check also planned for release of tasks and transport of copies?

It is planned to configure the automatic ATC check so that it is executed during the tasks release. Implemented with the SAP note 2495410.

Can I restrict the ATC check only to my custom code (no check for SAP code)?

You can configure which objects will be checked (e.g. all objects of a package). With AS ABAP 7.52 the coverage of checked source code was improved and the findings in SAP includes and generated code are ignored.

Does the central ATC system need to know the release of the checked system e.g. to check differently if applicable?

No.

Can I extend the scope of the Remote Stubs, e.g. in order to add specific DDIC information for my own remote checks?

An extension for your own remote checks is not yet planned.

We practice "collective code ownership". Is there a way to address findings to the last user, instead of to the person responsible for the object?

This is not currently possible. However, such a functionality is planned in the future.

Can I mark already processed findings?

This is not currently possible. However, such a functionality is planned in the future.

During ATC remote checks run: will the ABAP Unit tests run on the local system?

The ABAP Unit tests must always be executed on the local system. This task cannot be carried out by the ATC central system.

Is a check for searching pragmas or pseudo-comments are also planned? Background: Detect and approval process for unwanted pragmas (configurable)?

A check for searching pragmas or pseudo-comments is currently not planned. It is, however, possible to configure ATC check runs in such a way that the results are displayed despite pragmas / pseudo-comments.

For more information see Configuring Run Series in the Central System  on the SAP Help Portal.

Are there ATC checks for Web Dynpro?

The remote ATC checks are currently not applicable for Web Dynpro / Dynpro

What happens to my exemption when I change the coding?

If you request an exemption for a single finding, this exemption will be valid as long as you don’t change the coding or the relevant context of that finding. As long as you only change coding that does not affect the finding (for example you change something in line 20 of an include and the finding marks code in line 200), the finding will be recognized as the same and thereby also the exemption stays valid.

Is it possible for a customer to scan partner add-ons?

In case you as a customer want to scan partner add-ons in your system you have to register the namespace of the add-on via the report SATC_AC_INIT_NAMESPACE_REG.

You can check the documentation of the report for further details. In system older than SAP NetWeaver AS ABAP 7.50 you have to apply the SAP note 2215288 to enable this feature.

Is it possible to run ATC checks when releasing transport tasks?

Yes, this is possible. You have to enable this feature by applying the SAP note 2495410.

Which BAdIs can I use to implement extension points for ATC?

You can implement SATC_CONTACT_PERSON to determine contact person of a development object (default is TADIR-AUTHOR) and SATC_USER_ACCOUNT to determine email address of a user (default is from user data of transaction SU02).

How can I view a central ATC check result in my developer system?

Please refer to the blog Remote Code Analysis in ATC – Browse Central ATC Result in Developer Systems.

How can I decide on which granularity an exemption can be applied?

In transaction ATC you will find the “Admissible Exemption Request” tool to specify if you want to allow exemptions on finding, object or package level.

Can I run remotely ABAP Unit tests?

Yes, you can execute ABAP Unit Tests remotely with the ABAP Test Cockpit if you implement the SAP Note 3037465.

How can I see which objects were included in an ATC mass run?

You can use the expert options Expert->Display Object Keys in the transaction ATC under “Monitor and Control Runs”. The list of object keys will show you all the objects that were checked within an ATC run.

I want to run local ATC checks on my central ATC check system. Is it possible?

Yes, it is possible. You just need to enable local ATC checks for your central ATC check system as per SAP Note 2696969.

Can the same person request and approve an ATC exemption?

No, this is not possible. ATC forces the 4-eyes-principle here.

Can the baseline be managed centrally, e.g. via permissions, so that a local developer cannot deactivate the baseline?

Yes, there is an authorization for it. It is the same as for granting an exemption: S_Q_GOVERN

Our central ATC check system is on the SAP NetWeaver AS ABAP 7.52 (SAP_BASIS 7.52) release. Is it possible to use it to check an SAP S/4HANA system?

No, you need to upgrade it. The central ATC check system must be always on the higher release as the checked system.

In which environments: development, test or productive SAP recommends to execute ATC runs?

Local ATC runs should be executed by developers on the development systems over their individual developments. Development teams can additionally schedule periodic mass ATC runs on development systems.  Central ATC mass runs should be scheduled in the consolidation or test systems by quality experts. ATC runs should never be executed in productive environments.

ATC and ABAP Development Tools (ADT)


Can the ATC messages be displayed automatically in Eclipse as e.g. compiler messages?

No, there is currently no automatic check by the ATC.

 
147 Comments
Labels in this area