The new public enemy number one: static code analysis
Static ABAP code analysis can be a real asset. It depends on the specific checks being performed. Personally, I’ve had very good experiences with the standard versions of the ABAP Test Cockpit (ATC) in the past.
However, I’ve also seen custom ATC check rules and third-party code analysis tools that could really ruin your workday. It’s understandable that such ATC versions and third-party tools don’t have many fans.
Nevertheless, I wouldn’t go so far as to try and circumvent static code analysis. But that’s exactly what I saw recently in a code review. A rather lonely decision by an ABAP developer. Especially since there was no professional justification and one was almost forced to assume that it fell into the category of “not wanting to do it properly”.
I’m sure there’s a better way. If you’re not happy with the result of a code analysis, here are a few suggestions on how to deal with it.
Let’s start with the suggestions if the check result is correct and therefore a code adjustment is necessary:
Recommended by LinkedIn
Here are the suggestions if the check result is incorrect and therefore no code adjustment is necessary:
These are just a few suggestions, quickly jotted down. Perhaps someone else has another suggestion?
Thank you for reading. If you enjoyed the post, please leave a like, comment, or share the article with your community. Thanks in advance.
Michael
Don‘t blindly rely on SAST results but combine it with manual reviews and testing. KPIs on SAST results only can yield to wrong incentives towards creating things that „look“ good but aren’t
Make the SAST tool you’re using integral part of the toolchain. Integrate into quality gates and adjust and expand rulesets to address the specific challenges in your environment.
You can advance “heavenly” buy using an objective static code analysis tool like CAST Highlight. But of course you need to mature and document your way of abap coding to standards like handbook and on going checks
Option 4: Request exemptions. Edge cases exist. And if properly set up, ATC can also be a great tool to enforce a targeted review and approval - e.g. to have a senior dev approve the use of dynamic sql.
It might sound obvious but it starts by documenting your coding standards, check, styling and linting rules in a central location. “If you want to work here, this is how we do things”. Then at regular intervals you can - should - revisit the document and adjust as necessary. Comes in handy, too, when you hire help.