SAP Custom Code Analysis
DownloadFind Quality, Security and Compliance Issues ABAP, SAPUI5 (FIORI), XSJS and SQLSCRIPT
How Onapsis Code Analysis Works
Onapsis code analysis is based on extensive test cases that Onapsis has developed over its many years of experience with customer projects, with a database containing patterns of the relevant practices for insecure coding, bad quality or slow code. Test cases fall into six domains, addressing code issues from all angles to ensure your applications remain secure, compliant and available. Below are some examples of common vulnerabilities by domain:
Security
- Cross-site scripting, SQL injections, missing authority checks, insecure communication Compliance
- Hard-coded usernames, cross-client access to business data, direct database
Performance
- Usage of WAIT command, COMMIT work statement in a loop, incomplete index in WHERE condition
Maintainability
- Hard-coded text in WRITE or MESSAGE, hard-coded domain, programs or methods with insufficient comment/code ratio
Robustness
- Unsorted SELECT on pooled or cluster tables, hard-coded RFC destinations, missing sy-subrc checks
Data Loss Prevention
- Disclosure of critical DB content, disclosure of source code, disclosure of critical variable content
All discovered issues include criticality, an explanation of the vulnerability, business impact and remediation guidance. This gives you essential context to understand if you want to accept the risk and how to prioritize remediation for those findings you elect to fix.
Manual code reviews are labor-intensive, error-prone and often fail to find all critical issues. Onapsis solves this problem by providing automatic analysis for SAP custom code, allowing you to find security, compliance and quality issues in the shortest possible time.
- Reduce reliance on manual peer reviews, saving time and manpower
- Find issues earlier when they are easier and less expensive to fix
- Prevent critical issues from hitting production (and having exponentially worse consequences)
- Receive actionable remediation guidance for each issue Validate third-party created code (e.g., contract work)
Building Onapsis Code Analysis Into Your Processes
There are multiple options for implementing Onapsis code analysis into your application development and change management processes. Many customers use a combination of approaches.
“Real-time” Scanning: Find and Fix Vulnerabilities while Coding
- Receive live findings right in the development environment while you are coding
- Onapsis integrates with SAP HANA Studio, Eclipse, SAP Web IDE, SAP ABAP development workbench
- Developers receive an explanation of the finding, the business risk, and actionable solution, so they can remediate on the spot
Example “real-time” scan results in Eclipse development environment.
Before Release & Export: Prevent Issues from Moving to the Next System
- Automatically scan before code is released to the next system
- Allows you to accept risks or fix issues before deploying to the next system
Scan results are shown here.
Continuous Monitoring of Deployed Code: Protect Code in Production
- Run regular scans of code that has already been deployed to production
- Ensure new vulnerabilities cannot be introduced to your production environment
- Check legacy code against the latest test cases, vulnerabilities and best practices
Results are shown in The Onapsis Platform
Or in the CodeProfiler Finding Manager
