Example blog

Library of detectors and security detectors for log injection flaws


Amazon CodeGuru Reviewer is a developer tool that uses machine learning to detect security flaws in code (Java and Python) and offers suggestions for improving code quality. Recently, AWS introduced two new features for the tool with a new detector library and security detectors for log injection faults.

Amazon CodeGuru, launched in general availability in July 2020, consists of Amazon CodeGuru Profiler and Amazon CodeGuru Reviewer. The latter has received several updates with CI/CD integration with Github and detection of hard-coded secrets in the code. Additionally, with a new detector library and safety detectors for log injection faults, the CodeGuru component receives more features to harden developer code.

The CodeGuru Reviewer Detectors Library is a resource that contains detailed information about security and code quality detectors in CodeGuru Reviewer. In an AWS News blog post about new features in Amazon CodeGuru Reviewer, Danilo PocciaChief Evangelist (EMEA) at AWS, explains:

These sensors help you build secure and efficient applications on AWS. In the Detectors Library, you can find detailed information about CodeGuru Reviewer’s security and code quality detectors, including descriptions, their severity, and their potential impact on your application, as well as additional information that helps you mitigate risks.

Each detection page in the Detector Library includes a description of the detector, examples of non-compliant and compliant code snippets (Java and Python repositories), severity, and other information to help developers mitigate its risks (such than CWE numbers).

Source: https://aws.amazon.com/blogs/aws/new-for-amazon-codeguru-reviewer-detector-library-and-security-detectors-for-log-injection-flaws/

Following the recent Apache Log4j vulnerability, AWS added new detectors to CodeGuru Reviewer that check to see if a developer is logging anything uncleaned and potentially executable. These detectors address the issue described in CWE-117: Improper Neutralization of Log Output. Additionally, the detectors work with Java and Python code, and for Java are not limited to the Log4j library.

Holger Müllerprincipal analyst and vice president of Constellation Research Inc., told InfoQ:

Coding is no longer the traditional diet of writing code and waiting for compiler errors. Today, the IDE looks over the shoulders of developers as they code. A key area is making code safer, and that’s what AWS is doing in the latest version of CodeGuru.

New Amazon CodeGuru Reviewer features are available in all AWS Regions that offer Amazon CodeGuru. Amazon CodeGuru Reviewer pricing is available on the pricing page.

Source link