== Why is this an issue?

According to the SAP documentation :


____
This statement starts the ABAP editor for the source text of the program specified in prog. prog has to be a character-type data object, which contains the name of a program in capital letters that exists in the Repository. Otherwise you will get a corresponding status message.


After starting the ABAP editor, it provides the full functionality, as if called from the ABAP-Workbench. You can navigate forward to branch to other tools. After returning from the ABAP-editor, the current program continues after the statement EDITOR-CALL.

____

But this statement bypasses the authority checks that are performed when calling the ABAP editor via transaction code. Therefore the use of EDITOR-CALL FOR REPORT is a security vulnerability.


=== Noncompliant code example

[source,text]
----
EDITOR-CALL FOR REPORT 'MY_SAP_REPORT' DISPLAY-MODE.
----