Info | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Contents:
Related pages:
|
Welcome to SAP Extractor for Kiuwan (SAPEX)
Info |
---|
To analyze ABAP code in Kiuwan, source code and information from SAP system need to be exported previously to be analyzed by Kiuwan. Kiuwan SAP Extractor (SAPEX) performs these tasks.
NOTE: SAPEX is expected to run in any SAP NetWeaver 7.2+ platform. Contact Kiuwan Technical Support Kiuwan Support for previous platform versions. |
How it works
When SAPEX components (programs, function modules, support classes, OS commands) are installed on the target SAP system, the user may perform the following operations:
- Extract source code
- Either by running a program within SAP server (
ZKW_SAPEX_CODE
) , or remotely (using thesapexCode.xml
script), extracted code can be analyzed with Kiuwan Local Analyzer. - The code elements to extract could be based on transport requests / tasks, packages, and the type and name of the element (programs, function modules, classes, web dynpro components, etc.)
- Either by running a program within SAP server (
- Extract system information ("metadata")
- Metadata are used by Kiuwan rules to search for defects and vulnerabilities
- For example, to ensure that authorization is performed properly, information about authorization objects and authorization groups (extracted from TOBJ and TDDAT tables) is used by many security checks in Kiuwan.
- Metadata extraction could be performed either by running a program within SAP Server (
ZKW_SAPEX_METADATA
) , or remotely (using thesapexMetadata.xml
script).
Perform analysis on extracted source code
Within a SAP system with Kiuwan Local Analyzer deployed, by running the
ZKW_ANALYSIS
program. It offers the possibility for extracting source code before analysis.
Add automated audits before releasing changes
SAP's Change and Transport System (CTS) may register an implementation for the CTS_REQUEST_CHECK 'classic' BAdI.
Source code extraction, analysis and evaluation of audit checkpoints may be performed before accepting (or rejecting) the release of a change request / task, according to organizational quality and security standards.
Introduction
...