CVA check for security-services-tools

[danielpreiser]

Hi Frank,

just a question out of curiosity:

Are all the provided reports being checked for vulnerabilities using the Code Vulnerability Analyzer? We implemented some of the SolMan reports and had some findings related to that. I am aware that probably not all checks are of serious attention, but some like "Missing authority check in ABAP report" should be considered. Right?

Thanks in advance for the response!
BR
Daniel

[FrankBuchholz]

Hi Daniel,

Yes, I agree, I should run the CVA on all reports again. Which reports showed findings in your case?

I know that report ZSHOW_GWMON_LOG has a finding about the file name which gets read via OPEN DATASET which is not easy to solve. The log file names are not based on direct user input but on the value of profile parameters, therefore, I ignored that finding so far.

Greetings
Frank