Amazon CodeGuru Reviewer is a developer instrument that detects safety vulnerabilities in your code and offers clever suggestions to enhance code high quality. For instance, CodeGuru Reviewer launched Safety Detectors for Java and Python code to determine safety dangers from the highest ten Open Net Software Safety Mission (OWASP) classes and comply with safety finest practices for AWS APIs and customary crypto libraries. At re:Invent, CodeGuru Reviewer launched a secrets and techniques detector to determine hardcoded secrets and techniques and recommend remediation steps to safe your secrets and techniques with AWS Secrets and techniques Supervisor. These capabilities make it easier to discover and remediate safety points earlier than you deploy.
Right this moment, I’m blissful to share two new options of CodeGuru Reviewer:
- A brand new Detector Library describes intimately the detectors that CodeGuru Reviewer makes use of when in search of doable defects and consists of code samples for each Java and Python.
- New safety detectors have been launched for detecting log-injection flaws in Java and Python code, much like what occurred with the current Apache Log4j vulnerability we described on this weblog submit.
Let’s see these new options in additional element.
Utilizing the Detector Library
That will help you perceive extra clearly which detectors CodeGuru Reviewer makes use of to overview your code, we at the moment are sharing a Detector Library the place yow will discover detailed data and code samples.
These detectors make it easier to construct safe and environment friendly purposes on AWS. Within the Detector Library, yow will discover detailed details about CodeGuru Reviewer’s safety and code high quality detectors, together with descriptions, their severity and potential impression in your utility, and extra data that helps you mitigate dangers.
Observe that every detector seems for a variety of code defects. We embrace one noncompliant and compliant code instance for every detector. Nonetheless, CodeGuru makes use of machine studying and automatic reasoning to determine doable points. Because of this, every detector can discover a vary of defects along with the specific code instance proven on the detector’s description web page.
Let’s take a look at a couple of detectors. One detector is in search of insecure cross-origin useful resource sharing (CORS) insurance policies which are too permissive and should result in loading content material from untrusted or malicious sources.
One other detector checks for improper enter validation that may allow assaults and result in undesirable conduct.
Particular detectors make it easier to use the AWS SDK for Java and the AWS SDK for Python (Boto3) in your purposes. For instance, there are detectors that may detect hardcoded credentials, comparable to passwords and entry keys, or inefficient polling of AWS assets.
New Detectors for Log-Injection Flaws
Following the current Apache Log4j vulnerability, we launched in CodeGuru Reviewer new detectors that examine if you happen to’re logging something that isn’t sanitized and probably executable. These detectors cowl the problem described in CWE-117: Improper Output Neutralization for Logs.
These detectors work with Java and Python code and, for Java, aren’t restricted to the Log4j library. They don’t work by trying on the model of the libraries you employ, however examine what you’re really logging. On this manner, they’ll shield you if comparable bugs occur sooner or later.
Following these detectors, user-provided inputs should be sanitized earlier than they’re logged. This avoids having an attacker be capable of use this enter to interrupt the integrity of your logs, forge log entries, or bypass log screens.
Availability and Pricing
These new options can be found right this moment in all AWS Areas the place Amazon CodeGuru is obtainable. For extra data, see the AWS Regional Companies Checklist.
The Detector Library is free to browse as a part of the documentation. For the brand new detectors in search of log-injection flaws, normal pricing applies. See the CodeGuru pricing web page for extra data.
Begin utilizing Amazon CodeGuru Reviewer right this moment to enhance the safety of your code.