Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

ABAP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your ABAP code

Tags

Impact

Clean code attribute

"SY-SUBRC" should be checked after an "AUTHORITY-CHECK" statement
Vulnerability
SQL "UPDATE dbtab SET ..." statements should have a "WHERE" clause
Bug
"DELETE FROM dbtab" statements should have a "WHERE" clause
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Having dynamic clauses for SQL "SELECT" statements is security-sensitive
Security Hotspot
Keywords should not be used as variable names
Code Smell
Internal source code processing statements should not be used
Code Smell
Authorization checks should not rely on hardcoded user properties
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
"WHEN OTHERS" clauses should be last
Code Smell
Cognitive Complexity of functions should not be too high
Code Smell
"LIKE" clauses should not be used without wildcards
Code Smell
"CX_ROOT" should not be caught
Code Smell
"SY-SUBRC" should be tested after each statement setting it.
Code Smell
Control flow statements "IF", "CASE", "DO", "LOOP", "SELECT", "WHILE" and "PROVIDE" should not be nested too deeply
Code Smell
"CASE" statements should have "WHEN OTHERS" clauses
Code Smell
String literals should not be duplicated
Code Smell
All branches in a conditional structure should not have exactly the same implementation
Bug
"WHERE" clause conditions should not be contradictory
Bug
Related "if/else if" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
An internal table should be sorted before duplicates are deleted
Bug
Variables should not be self-assigned
Bug
Using shell interpreter when executing OS commands is security-sensitive
Security Hotspot
Having SQL "SELECT" statements without "WHERE" conditions is security-sensitive
Security Hotspot
Standard tables should be searched using "BINARY SEARCH"
Code Smell
"JOIN" should be used instead of nested "SELECT" statements
Code Smell
"SELECT INTO TABLE" should be used
Code Smell
"EXIT" and "CHECK" statements should not be used in "SELECT" loops
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
SQL "LIKE" clauses should not start with wildcard characters
Code Smell
"SORTED" or "HASHED" internal tables should be accessed with a key
Code Smell
A SQL "SELECT" statement should not involve too many tables
Code Smell
"DATA" variable names should comply with a naming convention
Code Smell
Function names should comply with a naming convention
Code Smell
"REFRESH itab FROM TABLE" should not be used
Code Smell
"%_HINTS" should not be used
Code Smell
System C functions should not be used
Code Smell
Native SQL should not be statically embedded
Code Smell
To "SELECT", "INSERT" or "DELETE" several lines in databases, internal tables should be used in place of loop control structure
Code Smell
SQL "DISTINCT" operator should not be used to prevent bypassing the SAP buffering
Code Smell
Columns to be read with a "SELECT" statement should be clearly defined
Code Smell
Subqueries and "JOIN" clauses should not be used
Code Smell
"REFRESH itab" should not be used
Code Smell
"SYSTEM-CALL" statement should not be used
Code Smell
"DATA BEGIN OF OCCURS" should not be used
Code Smell
Sections of code should not be commented out
Code Smell
Subroutine parameters should be passed by reference rather than by value
Code Smell
SQL EXISTS subqueries should not be used
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Mergeable "if" statements should be combined
Code Smell
"BREAK-POINT" statement should not be used in production
Vulnerability
SQL "BYPASSING BUFFER" clause should not be used
Bug
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Jump statements should not be redundant
Code Smell
Unnecessary chain syntax should not be used
Code Smell
Report names should comply with a naming convention
Code Smell
Macro names should comply with a naming convention
Code Smell
SQL aggregate functions should not be used to prevent bypassing the SAP buffer
Code Smell
Unused local variables should be removed
Code Smell
Loops should not contain more than a single "CONTINUE", "EXIT", "CHECK" statement
Code Smell
"CASE statements should have at least 3 "WHEN" clauses
Code Smell
Interface names should comply with a naming convention
Code Smell
Class names should comply with a naming convention
Code Smell
Method names should comply with a naming convention
Code Smell
Using "CALL TRANSACTION" statements without an authority check is security-sensitive
Security Hotspot
"NOT IN" should not be used
Code Smell
Cyclomatic Complexity of functions should not be too high
Code Smell
Cyclomatic Complexity of methods should not be too high
Code Smell
Cyclomatic Complexity of classes should not be too high
Code Smell
"IF ... ELSEIF" constructs should end with "ELSE" clauses
Code Smell
Expressions should not be too complex
Code Smell
Empty driver tables should not be used in a "SELECT/FOR ALL ENTRIES" clause
Bug
Sort fields should be provided for an internal table sort
Bug
Operational statements should not be chained
Bug
Duplications in driver tables should deleted before the tables are used
Code Smell
Mass operations should be used with internal tables instead of loops
Code Smell
"FORM... ENDFORM" and "PERFORM" should not be used
Code Smell
Macros should be documented
Code Smell
Functions should be documented
Code Smell
Forms should be documented
Code Smell
Classes should be documented
Code Smell
The "LIKE" operator should be used very carefully in SQL "WHERE" condition
Code Smell
Statements should be on separate lines
Code Smell
Magic numbers should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
"CATCH" clauses should not be empty
Vulnerability
Open SQL "SELECT" statements should have an "ORDER BY" clause
Bug
Asterisks should be used for headers and to comment out code
Code Smell
Form names should comply with a naming convention
Code Smell
Tabulation characters should not be used
Code Smell

"SY-SUBRC" should be checked after an "AUTHORITY-CHECK" statement

intentionality - complete

security

Vulnerability

BlockerSonarSource default severity
click to learn more

Why is this an issue?

Every AUTHORITY-CHECK statement sets the fields SY-SUBRC (also accessible as SYST-SUBRC) to the authorization check result. Thus SY-SUBRC value should be checked just after every AUTHORITY-CHECK statement.

Noncompliant code example

AUTHORITY-CHECK OBJECT 'S_MYOBJ' "Noncompliant
    ID 'ID1' FIELD myvalue.

Compliant solution

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.

  IF sy-subrc <> 0.
    MESSAGE 'NOT AUTHORIZED' TYPE 'E'.
  ENDIF.

Exceptions

No issue will be raised in the following cases:

One or more WRITE operation are performed between the AUTHORITY-CHECK statement and SY-SUBRC check. An exception will be however raised if the WRITE operation is a WRITE ... TO statement, as this will set again SY-SUBRC.
SY-SUBRC's value is assigned to a variable. We then assume that it will be checked later.

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.
WRITE 'Test' " WRITE is accepted before checking SY-SUBRC
IF SY-SUBRC <> 0.
    EXIT.
ENDIF.

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.
Tmp = SY-SUBRC " Assigning SY-SUBRC value to a variable. We assume that it will be checked later.
IF Tmp <> 0.
    EXIT.
ENDIF.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted