AWS has upgraded its CodeGuru Reviewer tool’s ‘detectors’ to look for log injection weaknesses like the newly reported Log4Shell problem in the popular Java logging library Log4J. Following their discovery in December, the significant Log4J issues, called Log4Shell, startled the tech sector and end-user groups into massive remediation operations that may have evaded catastrophic assaults so far but are projected to remain in systems for years.
AWS offered numerous tools at the time to assist clients in safeguarding their resources, including updated web application firewall rules and Inspector tool upgrades to identify the vulnerability in EC2 VM instances. AWS has introduced two new features to CodeGuru Reviewer, AWS’s machine learning-based scanner that checks code for defects and suggests changes for security concerns during reviews. The tool intends to enhance code reviews for developers who work with code in the context of continuous integration and development (CI/CD) procedures. Developers can add CodeGuru Reviewer as a code reviewer after committing work to GitHub or Bitbucket.
The additional functionalities add to the security checks performed by the service. Last year, it introduced the CodeGuru Reviewer Secrets Detector, which finds dangerous hardcoded secrets in Java and Python source code and configuration files, such as passwords and API access keys. A new Detector Library for various common security problems impacting Java and Python online apps, and several new security detectors especially targeting Log4Shell-like log injection flaws, are among the brand-new features for CodeGuru Review.
The Detector Library includes many detectors for common Java and Python programming weaknesses, like unauthenticated LDAP queries in Java code. It describes each security concern in-depth, including its severity and impact on an application, as well as one example of non-compliant and compliant code for each issue. There are presently 91 Java detectors and 69 Python detectors in the library. According to AWS, CodeGuru “uses machine learning and automated reasoning” to discover potential flaws. Therefore, each detector can locate a variety of defects in addition to the example on the detector’s description page.
AWS responded to Log4Shell by releasing a broader detector for similar problems that checks if developers report “not sanitized and possibly executable” data. “User-provided inputs must be sanitized before they are logged,” it advises if it discovers an example of such code. Unsanitized input can be used to compromise the integrity of a log, fake log entries, or bypass log monitors. It then goes on to provide non-compliant and conforming code samples.
