SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software
Development resources, articles, tutorials, code samples, tools and downloads for SAP HANA and ABAP, HANA Database, SQLScript, SAP UI5, Screen Personas, Web Dynpro, Workflow

ABAP CVA Checks: Write on sensitive database tables

A regular ATC check showed me an ABAP CVA (Code Vulnerability Analysis) finding Write on sensitive database tables where the mentioned sensitive SAP database table is USR05 User Master Parameter table. In the ABAP code I was modifying the SAP table record using OpenSQL UPDATE command or adding a new row into the USR05 table using OpenSQL INSERT command.

Here is the details of the ATC (ABAP Test Cockpit) finding complaining about USR05 table (User Master Parameter ID) update or writing a new record to this sensitive database table.

Security Checks for ABAP (CVA)
Write on sensitive database tables
Write access (INSERT) to database table USR05

ATC Check: Write on sensitive database tables USR05

The ABAP code block where I update existing data or insert a new user parameter to the SAP database table USR05 is as follows:

UPDATE usr05 " User Master Parameter
 SET parva = p_nohint
 WHERE bname = sy-uname
  AND parid = 'Z_USR_PARAM01'.
IF sy-subrc = 4.
 lwa_usr05-bname = sy-uname.
 lwa_usr05-parid = 'Z_USR_PARAM01'.
 lwa_usr05-parva = p_nohint.
 INSERT INTO usr05 VALUES lwa_usr05.

It is better to modify such sensitive database tables using an approptiate function module or ABAP class instead of directly executing OpenSQL Update or Insert commands in ABAP codes.

I found the solution for using an ABAP function module for updating user parameters SAP table USR05 at tutorial Set User Parameter in SAP using ABAP Function Module

data lv_value type xuvalue.
lv_value = p_nohint.
  i_uname = sy-uname
  i_parid = 'Z_USR_PARAM01'
  i_value = i_value
* OTHERS = 2

Above code is showing how I converted previous CVA problematic ABAP code block into a better version at least according to the ABAP CVA (Code Vulnerability Analysis) checking tool.


Install SAP Free
CRM Companies List
Web Based CRM Software

Copyright © 2004 - 2021 Eralper YILMAZ. All rights reserved.