Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

ABAP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your ABAP code

Tags

Impact

Clean code attribute

Standard tables should be searched using "BINARY SEARCH"
Code Smell
"SY-SUBRC" should be checked after an "AUTHORITY-CHECK" statement
Vulnerability
Authorization checks should not rely on hardcoded user properties
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using shell interpreter when executing OS commands is security-sensitive
Security Hotspot
"WHEN OTHERS" clauses should be last
Code Smell
All branches in a conditional structure should not have exactly the same implementation
Bug
Cognitive Complexity of functions should not be too high
Code Smell
"LIKE" clauses should not be used without wildcards
Code Smell
"WHERE" clause conditions should not be contradictory
Bug
Jump statements should not be redundant
Code Smell
Using "CALL TRANSACTION" statements without an authority check is security-sensitive
Security Hotspot
"JOIN" should be used instead of nested "SELECT" statements
Code Smell
"SELECT INTO TABLE" should be used
Code Smell
Open SQL "SELECT" statements should have an "ORDER BY" clause
Bug
"EXIT" and "CHECK" statements should not be used in "SELECT" loops
Code Smell
Duplications in driver tables should deleted before the tables are used
Code Smell
Empty driver tables should not be used in a "SELECT/FOR ALL ENTRIES" clause
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
SQL "LIKE" clauses should not start with wildcard characters
Code Smell
Unnecessary chain syntax should not be used
Code Smell
Asterisks should be used for headers and to comment out code
Code Smell
"CX_ROOT" should not be caught
Code Smell
"CATCH" clauses should not be empty
Vulnerability
An internal table should be sorted before duplicates are deleted
Bug
Sort fields should be provided for an internal table sort
Bug
Mass operations should be used with internal tables instead of loops
Code Smell
"SORTED" or "HASHED" internal tables should be accessed with a key
Code Smell
Keywords should not be used as variable names
Code Smell
Operational statements should not be chained
Bug
Variables should not be self-assigned
Bug
"FORM... ENDFORM" and "PERFORM" should not be used
Code Smell
"NOT IN" should not be used
Code Smell
A SQL "SELECT" statement should not involve too many tables
Code Smell
Macros should be documented
Code Smell
Functions should be documented
Code Smell
Forms should be documented
Code Smell
Classes should be documented
Code Smell
"DATA" variable names should comply with a naming convention
Code Smell
Report names should comply with a naming convention
Code Smell
Macro names should comply with a naming convention
Code Smell
Function names should comply with a naming convention
Code Smell
Cyclomatic Complexity of functions should not be too high
Code Smell
"REFRESH itab FROM TABLE" should not be used
Code Smell
"%_HINTS" should not be used
Code Smell
"SY-SUBRC" should be tested after each statement setting it.
Code Smell
Form names should comply with a naming convention
Code Smell
Internal source code processing statements should not be used
Code Smell
System C functions should not be used
Code Smell
Native SQL should not be statically embedded
Code Smell
SQL "BYPASSING BUFFER" clause should not be used
Bug
SQL aggregate functions should not be used to prevent bypassing the SAP buffer
Code Smell
To "SELECT", "INSERT" or "DELETE" several lines in databases, internal tables should be used in place of loop control structure
Code Smell
SQL "DISTINCT" operator should not be used to prevent bypassing the SAP buffering
Code Smell
Columns to be read with a "SELECT" statement should be clearly defined
Code Smell
The "LIKE" operator should be used very carefully in SQL "WHERE" condition
Code Smell
SQL "UPDATE dbtab SET ..." statements should have a "WHERE" clause
Bug
Subqueries and "JOIN" clauses should not be used
Code Smell
Having dynamic clauses for SQL "SELECT" statements is security-sensitive
Security Hotspot
Having SQL "SELECT" statements without "WHERE" conditions is security-sensitive
Security Hotspot
"REFRESH itab" should not be used
Code Smell
"SYSTEM-CALL" statement should not be used
Code Smell
"BREAK-POINT" statement should not be used in production
Vulnerability
"DATA BEGIN OF OCCURS" should not be used
Code Smell
Unused local variables should be removed
Code Smell
Loops should not contain more than a single "CONTINUE", "EXIT", "CHECK" statement
Code Smell
Control flow statements "IF", "CASE", "DO", "LOOP", "SELECT", "WHILE" and "PROVIDE" should not be nested too deeply
Code Smell
Cyclomatic Complexity of methods should not be too high
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Cyclomatic Complexity of classes should not be too high
Code Smell
"CASE" statements should have "WHEN OTHERS" clauses
Code Smell
"CASE statements should have at least 3 "WHEN" clauses
Code Smell
"IF ... ELSEIF" constructs should end with "ELSE" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Subroutine parameters should be passed by reference rather than by value
Code Smell
Statements should be on separate lines
Code Smell
String literals should not be duplicated
Code Smell
Interface names should comply with a naming convention
Code Smell
"DELETE FROM dbtab" statements should have a "WHERE" clause
Bug
SQL EXISTS subqueries should not be used
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Magic numbers should not be used
Code Smell
Nested blocks of code should not be left empty
Code Smell
Expressions should not be too complex
Code Smell
Mergeable "if" statements should be combined
Code Smell
Tabulation characters should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Class names should comply with a naming convention
Code Smell
Method names should comply with a naming convention
Code Smell

Using "CALL TRANSACTION" statements without an authority check is security-sensitive

intentionality - complete

security

Security Hotspot

Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.

This rule raises when a CALL TRANSACTION has no explicit authorization check, i.e. when:

the CALL TRANSACTION statement is not followed by WITH AUTHORITY-CHECK.
the CALL TRANSACTION statement is not following an AUTHORITY-CHECK statement.
the CALL TRANSACTION statement is not following a call to the AUTHORITY_CHECK_TCODE function.

Ask Yourself Whether

the CALL TRANSACTION statement is restricted to the right users.

There is a risk if you answered no to this question.

Recommended Secure Coding Practices

Check current user’s authorization before every CALL TRANSACTION statement. Since ABAP 7.4 this should be done by appending WITH AUTHORITY-CHECK to CALL TRANSACTION statements. In earlier versions the AUTHORITY-CHECK statement or a call to the AUTHORITY_CHECK_TCODE function can be used.

Note that since ABAP 7.4 any CALL TRANSACTION statement not followed by WITH AUTHORITY-CHECK or WITHOUT AUTHORITY-CHECK is obsolete.

Sensitive Code Example

CALL TRANSACTION 'MY_DIALOG'.  " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.

Compliant Solution

AUTHORITY-CHECK OBJECT 'S_DIAGID'
                  ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.

CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
  exporting
    tcode  = up_fdta
  exceptions
    ok     = 0
    others = 4.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.

CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.

Exceptions

No issue will be raised when CALL TRANSACTION is followed by WITHOUT AUTHORITY-CHECK as it explicitly says that the TRANSACTION does not require an authorization check.

See

OWASP - Top 10 2021 Category A1 - Broken Access Control
OWASP - Top 10 2017 Category A2 - Broken Authentication
CWE - CWE-285 - Improper Authorization
CWE - CWE-862 - Missing Authorization

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted