Security Checks for ABAP CVA - Read on sensitive database tables
When I execute ATC ABAP Test Cockpit Tool code checks for CVA (Code Vulnerability Analysis) results, I see following CVA entry:Security Checks for ABAP (CVA) Read on sensitive database tables.
And in the message detail, I see MARA, MVKE, MARC and MARD tables are accessed and listed as sensitive database tables with following messages:
Security Checks for ABAP (CVA)
Read on sensitive database tables
Read access (SELECT) to database table MARA
Read access (SELECT) to database table MVKE
Read access (SELECT) to database table MARC
Read access (SELECT) to database table MARD
When I clicked on one of the message it redirected me to following ABAP SELECT command.
select
mvke~vkorg, " Sales Organization
mvke~vtweg, " Distribution Channel
mara~matnr, " Material Number
mvke~vmsta, " Distribution-chain-specific material status
marc~trame, " Stock in Transit
mard~labst, " Valuated Unrestricted-Use Stock
mard~insme, " Stock in Quality Inspection
mard~speme, " Blocked Stock
mard~retme " Blocked Stock Returns
into table @data(lt_data)
from mara as mara
inner join mvke as mvke
on mara~matnr = mvke~matnr
inner join marc as marc
on mara~matnr = marc~matnr
inner join mard as mard
on marc~matnr = mard~matnr and
marc~werks = mard~werks
where
mara~matnr = 'HB510ABR0' and
mvke~vkorg = @lv_vkorg and
mvke~vtweg = @lv_vtweg and
marc~werks = '1321'.
I converted the above SELECT statement into a parametric CDS view object and added OData annotation "AccessControl.authorizationCheck" as "#CHECK" in the below format
@AbapCatalog.sqlViewName: '/KODYAZ/SOMMAT_V'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: '/KODYAZ/SOM_INFO_MAT_CDS'
define view /KODYAZ/SOM_INFO_MAT_CDS
with parameters
p_matnr : matnr,
p_vkorg : vkorg,
p_vtweg : vtweg,
p_werks : werks_d,
p_spras : spras
as
select
mvke.vkorg, -- Sales Organization
mvke.vtweg, -- Distribution Channel
mara.matnr, -- Material Number
mvke.vmsta, -- Distribution-chain-specific material status
marc.trame, -- Stock in Transit
mard.labst, -- Valuated Unrestricted-Use Stock
mard.insme, -- Stock in Quality Inspection
mard.speme, -- Blocked Stock
mard.retme, -- Blocked Stock Returns
makt.maktx, -- Material Definition
tvmst.vmstb, -- material distribution status text
mvke.mvgr3,
tvm3t.bezei, -- material group 3 text
lfa1.name1
from mara
inner join mvke
on mvke.matnr = mara.matnr
inner join marc as marc
on marc.matnr = mara.matnr and
marc.werks = :p_werks
inner join mard as mard
on mard.matnr = marc.matnr and
mard.werks = marc.werks
left outer join makt
on makt.matnr = mara.matnr and
makt.spras = :p_spras
left outer join tvmst
on tvmst.vmsta = mvke.vmsta and
tvmst.spras = :p_spras
left outer join tvm3t
on tvm3t.mvgr3 = mvke.mvgr3 and
tvm3t.spras = :p_spras
left outer join lfa1
on lfa1.lifnr = mara.mfrnr
where
mara.matnr = :p_matnr and
mvke.vkorg = :p_vkorg and
mvke.vtweg = :p_vtweg
Then I modified the original ABAP program source code as follows replacing the problematic ABAP SELECT command with below SELECT from parametric CDS View code
select * into table @data(lt_data)
from /kodyaz/som_info_mat_cds(
p_matnr = @lv_matnr
, p_vkorg = @lv_vkorg
, p_vtweg = @lv_vtweg
, p_werks = @lv_werks
, p_spras = @sy-langu
).
After the modification of OpenSQL in ABAP code into parametric CDS view, the Security Checks for ABAP (CVA) errors about Read on sensitive database tables dissappeared successfully.
