New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws – InfoQ.com

Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect security defects in code (Java and Python) and offers suggestions for code quality improvement. Recently, AWS introduced two new features for the tool, with a new Detector Library and security detectors for Log-Injection Flaws.

Amazon CodeGuru, released to general availability in July 2020, consists of Amazon CodeGuru Profiler and Amazon CodeGuru Reviewer. The latter received several updates with CI/CD integration with Github and detecting hard-coded secrets in code. In addition, with a new Detector Library and security detectors for Log-Injection Flaws, the CodeGuru component receives more features to hardness developer code. 

The CodeGuru Reviewer Detector Library is a resource that contains detailed information about the security and code quality detectors in CodeGuru Reviewer. In an AWS News blog post on the new features for Amazon CodeGuru Reviewer, Danilo Poccia, a chief evangelist (EMEA) at AWS, explains:

These detectors help you build secure and efficient applications on AWS. In the Detector Library, you can find detailed information about CodeGuru Reviewer’s security and code quality detectors, including descriptions, their severity and potential impact on your application, and additional information that helps you mitigate risks.

Each detection page in the Detector Library includes a description of the detector, non-compliant and compliant example code snippets (Java and Python repositories), severity, and other information to assist developers in mitigating its risks (such as CWE numbers). 

 
Source: https://aws.amazon.com/blogs/aws/new-for-amazon-codeguru-reviewer-detector-library-and-security-detectors-for-log-injection-flaws/

Following the recent Apache Log4j vulnerability, AWS added new detectors to CodeGuru Reviewer that check if a developer logs anything that is not sanitized and potentially executable. These detectors address the issue described in CWE-117: Improper Log Output Neutralization. In addition, the detectors work with Java and Python code and, for Java, are not limited to the Log4j library. 

Holger Mueller, principal analyst and vice president at Constellation Research Inc., told InfoQ:

Coding is no longer the traditional diet of writing code and waiting for compiler errors. Today, the IDE is looking over the shoulders of the developers’ shoulders while they are coding. One key area is to make code safer, and that is what AWS is doing in the latest version of CodeGuru.

The new Amazon CodeGuru Reviewer features are available in all AWS regions offering Amazon CodeGuru. Pricing of Amazon CodeGuru Reviewer is available on the pricing page

About the Author

Spread the love

Leave a Reply

Your email address will not be published.