How to scan ABAP source code
Scanning whole ABAP source codes in an SAP system can be beneficial to gather different kind of information.
For example :
- For detecting hard coded values in ABAP source codes
- For detecting security vulnerabilities in ABAP level
- To get a list of external RFC calls used in custom (Z) developments
In this blog I’m going to share some coding details about scanning ABAP codes.
Basic : Reading an ABAP source code
We can get source code of an ABAP include by using ABAP command “READ REPORT”.
Below is a simple report :
To get ABAP source code of this report, we can use “READ REPORT” command as below :
"READ REPORT" ABAP command fills lines of internal table “gt_source” with source code of the ABAP report “ZTEST”.
By this, we only have source code as a pure string table without any interpretation about code logic.
Yet, if we need a simple ABAP source code scanner to search some specific texts,
we can get a list of custom reports from SAP view TRDIR and read their ABAP source codes by “READ REPORT” command one by one .. then we can make simple text searches in code.
SAP standard program “RS_ABAP_SOURCE_SCAN” is already doing this search , you can refer to it as an example.
So what about interpreting the ABAP code ? Let’s go in more details.
Interpreting ABAP Code
Long years ago, when I was first trying to code an SAP security scanner tool,
I spent time on “SAP Code Inspector” tool and tried to understand how it analyses the ABAP code and make detections.
Below are some important concepts to know before we go further :
Tokenization : Means parsing an ABAP code from a pure string to meaningful structures.
- Statement : Every ABAP command that we finish with a period
- Token : Every word in ABAP statement is a token .. doesn’t matter whether it’s an ABAP keyword, literal or else like a variable name
- Structure : Some statements are bound to each other .. for example an ABAP LOOP statement ends with an ENDLOOP statement somewhere in the code , so they both presents a structure
So imagine an ABAP code part as below :
And let’s put the concepts on it :
You can parse string to get these structures by yourself after getting code by READ REPORT command, or you can use existing classes in SAP code inspector to make it simpler. Check out standard class “CL_CI_SCAN” for this. ( It basically uses SCAN ABAP-SOURCE command under the hood. )
So by using this logic and information, how to code an ABAP interpreter ?
After tokenizing the code as above, second step should be analyzing the command or statements you are interested in. Interpretation depends on what you are trying to detect.
Let’s continue with an example scenario as below.
Let’s code an ABAP scanner which detects SELECT commands used with “*” to read all the database table fields.
Steps should be like below :
1. Tokenize the code
2. Loop on all the statements and detect SELECT commands
3. Parse SELECT commands and find the ones used with star “*”
Imagine an small ABAP program as below :
Second SELECT statement to read VBAP table is used with a star “*”, we are trying to detect these SELECT statements.
And let’s code the scanner it in ABAP :
( I’m sharing code as images to make it more understandable, but if you request I can also share code as text )
Tokenize ABAP Code
On report code below , parameter “p_prog” will be an existing ABAP program name in system.
And let’s run it for the program “ZTEST” above and display the object “gr_scan” in debugger, “statements” and “tokens” tables are visible on this object :
Let’s display “tokens” table :
And display “statements” table noticing “from” and “to” fields :
“from” and “to” fields in “statements” table shows the index in “tokens” table for every statement.
Find SELECT statements and check if it uses “*” :
Basically “statements” table keeps every command in the selected ABAP program, and we can access every token in a statement by using from / to fields on “tokens” table.
To decide whether a statement is a SELECT or not, we can just check the first token.
Also by checking second token we can see if SELECT is used by a star ( * ) .
Remaining part of the scanner code is below :
Basically it’s that simple to scan ABAP codes , but real hard part starts when you start coding an analyzer to detect different phenomenons. Example above is only scanning one type of command (SELECT) , and it’s not related to any other command in the code.
Let’s imagine a scanner which detects SELECT commands under LOOPs , and don’t forget that SELECTs can be under subroutine calls like PERFORM , METHOD call or a MACRO call.
To detect that complicated states, it requires more detailed classes , logic and off course test cases.
I’ll try to write a blog about modeling a complex class like that as well in my further blogs.Thanks reading !
Author : Bulent BALCI
( It’s a cross posted blog – Click to read this blog on blogs.sap.com )