In the previous blog we have explained to run a validation of ABAP security notes against your systems using Focused Run configuration and security validation.
Questions that will be answered in this blog are:
- How can I quickly run an entire year of security OSS notes versus my systems?
SAP github with security policy source files
SAP publishes files for the ABAP security notes each month on the SAP Focused Run Best Practices GitHub:
Here the policy files for the ABAP security notes are stored per year and per month.
Not all security notes for ABAP stack are in these files: only the ABAP notes which can be applied via SNOTE. Security notes for ABAP stacks which require parameter changes or patches are not part of this check!
For convenience I have collected the files per year.
These files are for convenience. It can be I made a mistake in assembling them.
Uploading the files
Goto the Configuration validation policy maintenance FIORI tile:
Create new policy and copy paste the text from the file:
Do this by choosing Edit and copy and paste the text in the editing section:
Now Save the policy. Check the XML. Generate the policy and check it by pressing Test Policy. Note that these are large files with many checks, so the testing can take some time. Run can be done via the Validate button or by following the instructions below.
Running the Security notes checks against the connected systems
To run the checks, goto the Configuration and Security Analytics FIORI tile:
Select the policy file to run:
Now be patient until the results are ready.
Make sure you expand the amount of columns.
If an ABAP notes is not applied it does not mean your system is not safe. You have define for which CVSS score and which systems you want to apply the security OSS notes, within which timeframe.
More on CVSS score see OSS note 2463332 – Security Note CVSS vector computation – SAP Solution Manager 7.1 and 7.2 and this SAP blog explaining the CVSS scoring in general.