ABAP CVA Checks: Write on sensitive database tables
A regular ATC check showed me an ABAP CVA (Code Vulnerability Analysis) finding Write on sensitive database tables where the mentioned sensitive SAP database table is USR05 User Master Parameter table. In the ABAP code I was modifying the SAP table record using OpenSQL UPDATE command or adding a new row into the USR05 table using OpenSQL INSERT command.
Here is the details of the ATC (ABAP Test Cockpit) finding complaining about USR05 table (User Master Parameter ID) update or writing a new record to this sensitive database table.
Security Checks for ABAP (CVA)
Write on sensitive database tables
Write access (INSERT) to database table USR05
The ABAP code block where I update existing data or insert a new user parameter to the SAP database table USR05 is as follows:
DATA lv_param TYPE FLAG VALUE 'X'.
UPDATE usr05 " User Master Parameter
SET parva = p_nohint
WHERE bname = sy-uname
AND parid = 'Z_USR_PARAM01'.
IF sy-subrc = 4.
lwa_usr05-bname = sy-uname.
lwa_usr05-parid = 'Z_USR_PARAM01'.
lwa_usr05-parva = p_nohint.
INSERT INTO usr05 VALUES lwa_usr05.
ENDIF.
It is better to modify such sensitive database tables using an approptiate function module or ABAP class instead of directly executing OpenSQL Update or Insert commands in ABAP codes.
I found the solution for using an ABAP function module for updating user parameters SAP table USR05 at tutorial Set User Parameter in SAP using ABAP Function Module
data lv_value type xuvalue.
lv_value = p_nohint.
call function 'CACS_SET_USER_PARAMETER'
exporting
i_uname = sy-uname
i_parid = 'Z_USR_PARAM01'
i_value = i_value
* EXCEPTIONS
* WRITE_ERROR = 1
* OTHERS = 2
.
Above code is showing how I converted previous CVA problematic ABAP code block into a better version at least according to the ABAP CVA (Code Vulnerability Analysis) checking tool.
