Scanning whole ABAP source codes in an SAP® system can be beneficial to gather different kind of information.
For example :
For detecting hard coded values in ABAP source codes
For detecting security vulnerabilities in ABAP level
To get a list of external RFC calls used in custom (Z) developments
Or like we've coded in ABAP Optimizer tool , scanning and further automatically optimizing ABAP performance problems.
In this blog I’m going to share some coding details about scanning ABAP codes.
Basic : Reading an ABAP source code
We can get source code of an ABAP include by using ABAP command “READ REPORT”.
Below is a simple report :
To get ABAP source code of this report, we can use “READ REPORT” command as below :
“READ REPORT” ABAP command fills lines of internal table “gt_source” with source code of the ABAP report “ZTEST”.
By this, we only have source code as a pure string table without any interpretation about code logic.
Yet, if we need a simple ABAP source code scanner to search some specific texts,
we can get a list of custom reports from SAP® view TRDIR and read their ABAP source codes by “READ REPORT” command one by one .. then we can make simple text searches in code.
SAP® standard program “RS_ABAP_SOURCE_SCAN” is already doing this search , you can refer to it as an example.
So what about interpreting the ABAP code ? Let’s go in more details.
Interpreting ABAP Code
Long years ago, when I was first trying to code an SAP® security scanner tool, I spent time on “SAP® Code Inspector” tool and tried to understand how it analyses the ABAP code and make detections.
Below are some important concepts to know before we go further :
Tokenization : Means parsing an ABAP code from a pure string to meaningful structures.
Statement : Every ABAP command that we finish with a period
Token: Every word in ABAP statement is a token .. doesn’t matter whether it’s an ABAP keyword, literal or else like a variable name
Structure : Some statements are bound to each other .. for example an ABAP LOOP statement
ends with an ENDLOOP statement somewhere in the code , so they both presents a structure
So imagine an ABAP code part as below :
And let’s put the concepts on it :
You can parse string to get these structures by yourself after getting code by READ REPORT
command, or you can use existing classes in SAP® code inspector to make it simpler. Check out
“CL_CI_SCAN” for this. ( It basically uses SCAN ABAP-SOURCE command under the hood. )
So by using this logic and information, how to code an ABAP interpreter ?
After tokenizing the code as above, second step should be analyzing the command or statements you are interested in. Interpretation depends on what you are trying to detect.
Let’s continue with an example scenario as below.
Let’s code an ABAP scanner which detects SELECT commands used with “*” to read all the database table fields.
Steps should be like below :
- Tokenize the code
- Loop on all the statements and detect SELECT commands
- Parse SELECT commands and find the ones used with star “*”