UI-driven or RFC-driven dynamic function module call

If ABAP programmer is calling function modules dynamically using a variable for function module name instead of a static ABAP function module name following CVA security check can be displayed as priority one issue in ATC findings:
UI-driven or RFC-driven dynamic function module call

The variable function module name value could be provided by an entry on user interface. In this case the input function module name can be used for different purposes by wrong users. The input values must be validated by comparing a whilelist of ABAP function modules.

There is a good article posted about CVA findings which is suggesting use of cl_abap_dyn_prg=>check_whitelist_str() class method to check whether the function module name exposed in variable is a whitelisted function module name or not.

In fact if you follow the official help documentation displayed available at CVA error details, ABAP developers can find more details about the procedure to secure the dynamic function module call.

Click on the ATC check message UI-driven or RFC-driven dynamic function module call for procedure to clear CVA security threat

Check Title: Security Checks for ABAP (CVA)
Check Message: UI-driven or RFC-driven dynamic function module call
Priority 1
Variable LV_FM can be used externally to control dynamic function module calls.
Risk of attacks through the user interface.
Invalid sanitization: Whitelist is identical to the value being checked.
Cannot be suppressed using a pragma or pseudo-comment

Assume that you have a function module name read from a structure field.
Pass the dynamic function module name as input parameter to the cl_abap_dyn_prg=>check_whitelist_str method or cl_abap_dyn_prg=>check_whitelist_tab method.

If the ABAP class cl_abap_dyn_prg methods check_whitelist_str and check_whitelist_tab does not help to check if the function module is in whitelist and remove the CVA finding at ATC, then an ATC exemption can be requested.