RedRays ABAP Code Analyzer: Open-Source Security Scanner for SAP ABAP

by · Published · Updated

The ABAP Code Scanner is a powerful tool designed to analyze ABAP (Advanced Business Application Programming) code for potential security vulnerabilities, code quality issues, and best practice violations. This provides a flexible and extensible way to scan ABAP code and generate comprehensive reports on various aspects of code security and quality.

Code Scanner

Features

  • Multiple security checks including:
    • Cross-Site Scripting (XSS) vulnerabilities
    • Directory Traversal vulnerabilities
    • Hardcoded credentials
    • Weak cryptographic algorithms
    • And many more…
  • Customizable and extensible architecture
  • Command-line interface for easy integration into CI/CD pipelines
  • Detailed reporting in XLSX format
  • Configurable scan settings

Upcoming Feature: Dataflow Analysis

We are excited mdto announce that we are working on implementing a dataflow analysis feature. This enhancement will significantly improve the accuracy and depth of our security scans.

What is Dataflow Analysis?

Dataflow analysis is a technique used to track how data moves through an application. In the context of security, it helps identify how potentially tainted data (e.g., user inputs) propagates through the system and whether it reaches sensitive sinks (e.g., database queries, output functions) without proper sanitization.

Planned Functionality

Our dataflow analysis will:

  • Track parameters and their contents from the beginning of functions, reports, forms, includes, or other ABAP structures.
  • Follow the data as it flows through the code, monitoring transformations and assignments.
  • Identify potential injection points where tainted data might be used unsafely.
  • Provide more accurate and context-aware vulnerability detection.

This feature will enable the to:

  • Reduce false positives by understanding the context and transformations of data.
  • Detect complex vulnerabilities that simple pattern matching might miss.
  • Offer more detailed and actionable reports on potential security issues.

Report

When the program finishes successfully, you will find the abap_security_scan_report.xlsx file in the project folder. Below, you can see an example of the report file.

Install & Use

Tags: