Detect Python and Java code security vulnerabilities with Amazon CodeGuru Reviewer

{"value":"[Amazon CodeGuru](https://aws.amazon.com/codeguru) is a developer tool that uses machine learning and automated reasoning to catch hard to find defects and security vulnerabilities in application code. The purpose of this blog is to show how new CodeGuru Reviewer features help improve the security posture of your Python applications and highlight some of the specific categories of code vulnerabilities that CodeGuru Reviewer can detect. We will also cover newly expanded security capabilities for Java applications.\n\n[Amazon CodeGuru](https://aws.amazon.com/cn/codeguru/?trk=cndc-detail) Reviewer can detect code vulnerabilities and provide actionable recommendations across dozens of the most common and impactful categories of code security issues (as classified by industry-recognized standards, Open Web Application Security, [OWASP](https://owasp.org/Top10/) , “top ten” and Common Weakness Enumeration, [CWE](https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html). The following are some of the most severe code vulnerabilities that CodeGuru Reviewer can now help you detect and prevent:\n- Injection weaknesses typically appears in data-rich applications. Every year, hundreds of web servers are compromised using SQL Injection. An attacker can use this method to bypass access control and read or modify application data.\n- Path Traversal security issues occur when an application does not properly handle special elements within a provided path name. An attacker can use it to overwrite or delete critical files and expose sensitive data.\n- Null Pointer Dereference issues can occur due to simple programming errors, race conditions, and others. Null Pointer Dereference can cause availability issues in rare conditions. Attackers can use it to read and modify memory.\n- Weak or broken cryptography is a risk that may compromise the confidentiality and integrity of sensitive data.\n\n\nSecurity vulnerabilities present in source code can result in application downtime, leaked data, lost revenue, and lost customer trust. Best practices and peer code reviews aren’t sufficient to prevent these issues. You need a systematic way of detecting and preventing vulnerabilities from being deployed to production. CodeGuru Reviewer Security Detectors can provide a scalable approach to DevSecOps, a mechanism that employs automation to address security issues early in the software development lifecycle. Security detectors automate the detection of hard-to-find security vulnerabilities in Java and now Python applications, and provide actionable recommendations to developers.\n\nBy baking security mechanisms into each step of the process, DevSecOps enables the development of secure software without sacrificing speed. However, false positive issues raised by Static Application Security Testing (SAST) tools often must be manually triaged effectively and work against this value. CodeGuru uses techniques from automated reasoning, and specifically, precise data-flow analysis, to enhance the precision of code analysis. CodeGuru therefore reports fewer false positives.\n\nMany customers are already embracing open-source code analysis tools in their DevSecOps practices. However, integrating such software into a pipeline requires a heavy up front lift, ongoing maintenance, and patience to configure. Furthering the utility of new security detectors in [Amazon CodeGuru](https://aws.amazon.com/cn/codeguru/?trk=cndc-detail) Reviewer, this update adds integrations with [Bandit](https://github.com/PyCQA/bandit) and [Infer](https://fbinfer.com/), two widely-adopted open-source code analysis tools. In Java code bases, CodeGuru Reviewer now provide recommendations from Infer that detect null pointer dereferences, thread safety violations and improper use of synchronization locks. And in Python code, the service detects instances of SQL injection, path traversal attacks, weak cryptography, or the use of compromised libraries. Security issues found and recommendations generated by these tools are shown in the console, in pull requests comments, or through CI/CD integrations, alongside code recommendations generated by CodeGuru’s code quality and security detectors. Let’s dive deep and review some examples of code vulnerabilities that CodeGuru Reviewer can help detect.\n\n### **Injection (Python)**\n[Amazon CodeGuru](https://aws.amazon.com/cn/codeguru/?trk=cndc-detail) Reviewer can help detect the most common injection vulnerabilities including SQL, XML, OS command, and LDAP types. For example, SQL injection occurs when SQL queries are constructed through string formatting. An attacker could manipulate the program inputs to modify the intent of the SQL query. The following python statement executes a SQL query constructed through string formatting and can be an attack vector:\n\n```\\nimport sqlite3\\nfrom flask import request\\n\\ndef removing_product():\\n productId = request.args.get('productId')\\n str = 'DELETE FROM products WHERE productID = ' + productId\\n return str\\n\\ndef sql_injection():\\n connection = psycopg2.connect(\\"dbname=test user=postgres\\")\\n cur = db.cursor()\\n query = removing_product()\\n cur.execute(query)\\n```\nCodeGuru will flag a potential SQL injection using Bandit security detector, will make the following recommendation:\n\n```\\n>> We detected a SQL command that might use unsanitized input. \\nThis can result in an SQL injection. To increase the security of your code, \\nsanitize inputs before using them to form a query string.\\n```\nTo avoid this, the user should correct the code to use a parameter sanitization mechanism that guards against SQL injection as done below:\n```\\nimport sqlite3\\nfrom flask import request\\n\\ndef removing_product():\\n productId = sanitize_input(request.args.get('productId'))\\n str = 'DELETE FROM products WHERE productID = ' + productId\\n return str\\n\\ndef sql_injection():\\n connection = psycopg2.connect(\\"dbname=test user=postgres\\")\\n cur = db.cursor()\\n query = removing_product()\\n cur.execute(query)\\n```\nIn the above corrected code, user supplied ```sanitize_input``` method will take care of sanitizing user inputs.\n\n### **Path Traversal (Python)**\nWhen applications use user input to create a path to read or write local files, an attacker can manipulate the input to overwrite or delete critical files or expose sensitive data. These critical files might include source code, sensitive, or application configuration information.\n```\\n@app.route('/someurl')\\ndef path_traversal():\\n file_name = request.args[\\"file\\"]\\n f = open(\\"./{}\\".format(file_name))\\n f.close()\\n```\nIn above example, file name is directly passed to an open API without checking or filtering its content.\n\nCodeGuru’s recommendation:\n```\\n>> Potentially untrusted inputs are used to access a file path.\\nTo protect your code from a path traversal attack, verify that your inputs are\\nsanitized.\\n```\nIn response, the developer should sanitize data before using it for creating/opening file.\n```\\n@app.route('/someurl')\\ndef path_traversal():\\nfile_name = sanitize_data(request.args[\\"file\\"])\\nf = open(\\"./{}\\".format(file_name))\\nf.close()\\n```\nIn this modified code, input data file_name has been clean/filtered by ```sanitized_data``` api call.\n\n### **Null Pointer Dereference (Java)**\nInfer detectors are a new addition that complement CodeGuru Reviewer native Java Security Detectors. Infer detectors, based on the Facebook Infer static analyzer, include rules to detect null pointer dereferences, thread safety violations, and improper use of synchronization locks. In particular, the null-pointer-dereference rule detects paths in the code that lead to null pointer exceptions in Java. Null pointer dereference is a very common pitfall in Java and is considered one of 25 most dangerous software weaknesses.\n\nThe Infer null-pointer-dereference rule guards against unexpected null pointer exceptions by detecting locations in the code where pointers that could be null are dereferenced. CodeGuru augments the Infer analyzer with knowledge about the AWS APIs, which allows the security detectors to catch potential null pointer exceptions when using AWS APIs.\n\nFor example, the A[WS DynamoDBMapper](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBMapper.html) class provides a convenient abstraction for mapping [Amazon DynamoDB](https://aws.amazon.com/dynamodb) tables to Java objects. However, developers should be aware that DynamoDB Mapper load operations can return a null pointer if the object was not found in the table. The following code snippet updates a record in a catalog using a DynamoDB Mapper:\n\n```\\nDynamoDBMapper mapper = new DynamoDBMapper(client);\\n// Retrieve the item.\\nCatalogItem itemRetrieved = mapper.load(\\nCatalogItem.class, 601);\\n// Update the item.\\nitemRetrieved.setISBN(\\"622-2222222222\\");\\nitemRetrieved.setBookAuthors(\\nnew HashSet<String>(Arrays.asList(\\n\\"Author1\\", \\"Author3\\")));\\nmapper.save(itemRetrieved);\\n```\nCodeGuru will protect against a potential null dereference by making the following recommendation:\n```\\nobject `itemRetrieved` last assigned on line 88 could be null\\nand is dereferenced at line 90.\\n```\nIn response, the developer should add a null check to prevent the null pointer dereference from occurring.\n```\\nDynamoDBMapper mapper = new DynamoDBMapper(client);\\n// Retrieve the item.\\nCatalogItem itemRetrieved = mapper.load(CatalogItem.class, 601);\\n// Update the item.\\nif (itemRetrieved != null) {\\nitemRetrieved.setISBN(\\"622-2222222222\\");\\nitemRetrieved.setBookAuthors(\\nnew HashSet<String>(Arrays.asList(\\n\\"Author1\\",\\"Author3\\")));\\nmapper.save(itemRetrieved);\\n} else {\\nthrow new CatalogItemNotFoundException();\\n}\\n```\n### **Weak or broken cryptography (Python)**\nPython security detectors support popular frameworks along with built-in APIs such as cryptography, pycryptodome etc. to identify ciphers related vulnerability. As suggested in CWE-327 , the use of a non-standard/inadequate key length algorithm is dangerous because attacker may be able to break the algorithm and compromise whatever data has been protected. In this example, `PBKDF2` is used with a weak algorithm and may lead to cryptographic vulnerabilities.\nfrom Crypto.Protocol.KDF import PBKDF2\nfrom Crypto.Hash import SHA1\n```\\ndef risky_crypto_algorithm(password):\\nsalt = get_random_bytes(16)\\nkeys = PBKDF2(password, salt, 64, count=1000000,\\nhmac_hash_module=SHA1)\\n```\nSHA1 is used to create a PBKDF2, however, it is insecure hence not recommended for PBKDF2. CodeGuru’s identifies the issue and makes the following recommendation:\n```\\n>> The `PBKDF2` function is using a weak algorithm which might\\nlead to cryptographic vulnerabilities. We recommend that you use the\\n`SHA224`, `SHA256`, `SHA384`,`SHA512/224`, `SHA512/256`, `BLAKE2s`,\\n`BLAKE2b`, `SHAKE128`, `SHAKE256` algorithms.\\n```\nIn response, the developer should use the correct SHA algorithm to protect against potential cipher attacks.\n```\\nfrom Crypto.Protocol.KDF import PBKDF2\\nfrom Crypto.Hash import SHA512\\n\\ndef risky_crypto_algorithm(password):\\nsalt = get_random_bytes(16)\\nkeys = PBKDF2(password, salt, 64, count=1000000,\\nhmac_hash_module=SHA512)\\n```\nThis modified example uses high strength SHA512 algorithm.\n\n### **Conclusion**\nThis post reviewed [Amazon CodeGuru](https://aws.amazon.com/cn/codeguru/?trk=cndc-detail) Reviewer security detectors and how they automatically check your code for vulnerabilities and provide actionable recommendations in code reviews. We covered new capabilities for detecting issues in Python applications, as well as additional security features from Bandit and Infer. Together CodeGuru Reviewer’s security features provide a scalable approach for customers embracing DevSecOps, a mechanism that requires automation to address security issues earlier in the software development lifecycle. CodeGuru automates detection and helps prevent hard-to-find security vulnerabilities, accelerating DevSecOps processes for application development workflow.\n\nYou can get started from the [CodeGuru console](https://console.aws.amazon.com/codeguru/home) by running a full repository scan or integrating CodeGuru Reviewer with your supported CI/CD pipeline. Code analysis from Infer and Bandit is included as part of the standard CodeGuru Reviewer service.\n\nFor more details on how to get started, visit the [documentation](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/welcome.html).","render":"<p><a href=\\"https://aws.amazon.com/codeguru\\" target=\\"_blank\\">Amazon CodeGuru</a> is a developer tool that uses machine learning and automated reasoning to catch hard to find defects and security vulnerabilities in application code. The purpose of this blog is to show how new CodeGuru Reviewer features help improve the security posture of your Python applications and highlight some of the specific categories of code vulnerabilities that CodeGuru Reviewer can detect. We will also cover newly expanded security capabilities for Java applications.</p>\\n<p>Amazon CodeGuru Reviewer can detect code vulnerabilities and provide actionable recommendations across dozens of the most common and impactful categories of code security issues (as classified by industry-recognized standards, Open Web Application Security, <a href=\\"https://owasp.org/Top10/\\" target=\\"_blank\\">OWASP</a> , “top ten” and Common Weakness Enumeration, <a href=\\"https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html\\" target=\\"_blank\\">CWE</a>. The following are some of the most severe code vulnerabilities that CodeGuru Reviewer can now help you detect and prevent:</p>\\n<ul>\\n<li>Injection weaknesses typically appears in data-rich applications. Every year, hundreds of web servers are compromised using SQL Injection. An attacker can use this method to bypass access control and read or modify application data.</li>\n<li>Path Traversal security issues occur when an application does not properly handle special elements within a provided path name. An attacker can use it to overwrite or delete critical files and expose sensitive data.</li>\n<li>Null Pointer Dereference issues can occur due to simple programming errors, race conditions, and others. Null Pointer Dereference can cause availability issues in rare conditions. Attackers can use it to read and modify memory.</li>\n<li>Weak or broken cryptography is a risk that may compromise the confidentiality and integrity of sensitive data.</li>\n</ul>\\n<p>Security vulnerabilities present in source code can result in application downtime, leaked data, lost revenue, and lost customer trust. Best practices and peer code reviews aren’t sufficient to prevent these issues. You need a systematic way of detecting and preventing vulnerabilities from being deployed to production. CodeGuru Reviewer Security Detectors can provide a scalable approach to DevSecOps, a mechanism that employs automation to address security issues early in the software development lifecycle. Security detectors automate the detection of hard-to-find security vulnerabilities in Java and now Python applications, and provide actionable recommendations to developers.</p>\n<p>By baking security mechanisms into each step of the process, DevSecOps enables the development of secure software without sacrificing speed. However, false positive issues raised by Static Application Security Testing (SAST) tools often must be manually triaged effectively and work against this value. CodeGuru uses techniques from automated reasoning, and specifically, precise data-flow analysis, to enhance the precision of code analysis. CodeGuru therefore reports fewer false positives.</p>\n<p>Many customers are already embracing open-source code analysis tools in their DevSecOps practices. However, integrating such software into a pipeline requires a heavy up front lift, ongoing maintenance, and patience to configure. Furthering the utility of new security detectors in Amazon CodeGuru Reviewer, this update adds integrations with <a href=\\"https://github.com/PyCQA/bandit\\" target=\\"_blank\\">Bandit</a> and <a href=\\"https://fbinfer.com/\\" target=\\"_blank\\">Infer</a>, two widely-adopted open-source code analysis tools. In Java code bases, CodeGuru Reviewer now provide recommendations from Infer that detect null pointer dereferences, thread safety violations and improper use of synchronization locks. And in Python code, the service detects instances of SQL injection, path traversal attacks, weak cryptography, or the use of compromised libraries. Security issues found and recommendations generated by these tools are shown in the console, in pull requests comments, or through CI/CD integrations, alongside code recommendations generated by CodeGuru’s code quality and security detectors. Let’s dive deep and review some examples of code vulnerabilities that CodeGuru Reviewer can help detect.</p>\\n<h3><a id=\\"Injection_Python_15\\"></a><strong>Injection (Python)</strong></h3>\\n<p>Amazon CodeGuru Reviewer can help detect the most common injection vulnerabilities including SQL, XML, OS command, and LDAP types. For example, SQL injection occurs when SQL queries are constructed through string formatting. An attacker could manipulate the program inputs to modify the intent of the SQL query. The following python statement executes a SQL query constructed through string formatting and can be an attack vector:</p>\n<pre><code class=\\"lang-\\">import sqlite3\\nfrom flask import request\\n\\ndef removing_product():\\n productId = request.args.get('productId')\\n str = 'DELETE FROM products WHERE productID = ' + productId\\n return str\\n\\ndef sql_injection():\\n connection = psycopg2.connect(&quot;dbname=test user=postgres&quot;)\\n cur = db.cursor()\\n query = removing_product()\\n cur.execute(query)\\n</code></pre>\\n<p>CodeGuru will flag a potential SQL injection using Bandit security detector, will make the following recommendation:</p>\n<pre><code class=\\"lang-\\">&gt;&gt; We detected a SQL command that might use unsanitized input. \\nThis can result in an SQL injection. To increase the security of your code, \\nsanitize inputs before using them to form a query string.\\n</code></pre>\\n<p>To avoid this, the user should correct the code to use a parameter sanitization mechanism that guards against SQL injection as done below:</p>\n<pre><code class=\\"lang-\\">import sqlite3\\nfrom flask import request\\n\\ndef removing_product():\\n productId = sanitize_input(request.args.get('productId'))\\n str = 'DELETE FROM products WHERE productID = ' + productId\\n return str\\n\\ndef sql_injection():\\n connection = psycopg2.connect(&quot;dbname=test user=postgres&quot;)\\n cur = db.cursor()\\n query = removing_product()\\n cur.execute(query)\\n</code></pre>\\n<p>In the above corrected code, user supplied <code>sanitize_input</code> method will take care of sanitizing user inputs.</p>\\n<h3><a id=\\"Path_Traversal_Python_58\\"></a><strong>Path Traversal (Python)</strong></h3>\\n<p>When applications use user input to create a path to read or write local files, an attacker can manipulate the input to overwrite or delete critical files or expose sensitive data. These critical files might include source code, sensitive, or application configuration information.</p>\n<pre><code class=\\"lang-\\">@app.route('/someurl')\\ndef path_traversal():\\n file_name = request.args[&quot;file&quot;]\\n f = open(&quot;./{}&quot;.format(file_name))\\n f.close()\\n</code></pre>\\n<p>In above example, file name is directly passed to an open API without checking or filtering its content.</p>\n<p>CodeGuru’s recommendation:</p>\n<pre><code class=\\"lang-\\">&gt;&gt; Potentially untrusted inputs are used to access a file path.\\nTo protect your code from a path traversal attack, verify that your inputs are\\nsanitized.\\n</code></pre>\\n<p>In response, the developer should sanitize data before using it for creating/opening file.</p>\n<pre><code class=\\"lang-\\">@app.route('/someurl')\\ndef path_traversal():\\nfile_name = sanitize_data(request.args[&quot;file&quot;])\\nf = open(&quot;./{}&quot;.format(file_name))\\nf.close()\\n</code></pre>\\n<p>In this modified code, input data file_name has been clean/filtered by <code>sanitized_data</code> api call.</p>\\n<h3><a id=\\"Null_Pointer_Dereference_Java_85\\"></a><strong>Null Pointer Dereference (Java)</strong></h3>\\n<p>Infer detectors are a new addition that complement CodeGuru Reviewer native Java Security Detectors. Infer detectors, based on the Facebook Infer static analyzer, include rules to detect null pointer dereferences, thread safety violations, and improper use of synchronization locks. In particular, the null-pointer-dereference rule detects paths in the code that lead to null pointer exceptions in Java. Null pointer dereference is a very common pitfall in Java and is considered one of 25 most dangerous software weaknesses.</p>\n<p>The Infer null-pointer-dereference rule guards against unexpected null pointer exceptions by detecting locations in the code where pointers that could be null are dereferenced. CodeGuru augments the Infer analyzer with knowledge about the AWS APIs, which allows the security detectors to catch potential null pointer exceptions when using AWS APIs.</p>\n<p>For example, the A<a href=\\"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBMapper.html\\" target=\\"_blank\\">WS DynamoDBMapper</a> class provides a convenient abstraction for mapping <a href=\\"https://aws.amazon.com/dynamodb\\" target=\\"_blank\\">Amazon DynamoDB</a> tables to Java objects. However, developers should be aware that DynamoDB Mapper load operations can return a null pointer if the object was not found in the table. The following code snippet updates a record in a catalog using a DynamoDB Mapper:</p>\\n<pre><code class=\\"lang-\\">DynamoDBMapper mapper = new DynamoDBMapper(client);\\n// Retrieve the item.\\nCatalogItem itemRetrieved = mapper.load(\\nCatalogItem.class, 601);\\n// Update the item.\\nitemRetrieved.setISBN(&quot;622-2222222222&quot;);\\nitemRetrieved.setBookAuthors(\\nnew HashSet&lt;String&gt;(Arrays.asList(\\n&quot;Author1&quot;, &quot;Author3&quot;)));\\nmapper.save(itemRetrieved);\\n</code></pre>\\n<p>CodeGuru will protect against a potential null dereference by making the following recommendation:</p>\n<pre><code class=\\"lang-\\">object `itemRetrieved` last assigned on line 88 could be null\\nand is dereferenced at line 90.\\n</code></pre>\\n<p>In response, the developer should add a null check to prevent the null pointer dereference from occurring.</p>\n<pre><code class=\\"lang-\\">DynamoDBMapper mapper = new DynamoDBMapper(client);\\n// Retrieve the item.\\nCatalogItem itemRetrieved = mapper.load(CatalogItem.class, 601);\\n// Update the item.\\nif (itemRetrieved != null) {\\nitemRetrieved.setISBN(&quot;622-2222222222&quot;);\\nitemRetrieved.setBookAuthors(\\nnew HashSet&lt;String&gt;(Arrays.asList(\\n&quot;Author1&quot;,&quot;Author3&quot;)));\\nmapper.save(itemRetrieved);\\n} else {\\nthrow new CatalogItemNotFoundException();\\n}\\n</code></pre>\\n<h3><a id=\\"Weak_or_broken_cryptography_Python_125\\"></a><strong>Weak or broken cryptography (Python)</strong></h3>\\n<p>Python security detectors support popular frameworks along with built-in APIs such as cryptography, pycryptodome etc. to identify ciphers related vulnerability. As suggested in CWE-327 , the use of a non-standard/inadequate key length algorithm is dangerous because attacker may be able to break the algorithm and compromise whatever data has been protected. In this example, <code>PBKDF2</code> is used with a weak algorithm and may lead to cryptographic vulnerabilities.<br />\\nfrom Crypto.Protocol.KDF import PBKDF2<br />\\nfrom Crypto.Hash import SHA1</p>\n<pre><code class=\\"lang-\\">def risky_crypto_algorithm(password):\\nsalt = get_random_bytes(16)\\nkeys = PBKDF2(password, salt, 64, count=1000000,\\nhmac_hash_module=SHA1)\\n</code></pre>\\n<p>SHA1 is used to create a PBKDF2, however, it is insecure hence not recommended for PBKDF2. CodeGuru’s identifies the issue and makes the following recommendation:</p>\n<pre><code class=\\"lang-\\">&gt;&gt; The `PBKDF2` function is using a weak algorithm which might\\nlead to cryptographic vulnerabilities. We recommend that you use the\\n`SHA224`, `SHA256`, `SHA384`,`SHA512/224`, `SHA512/256`, `BLAKE2s`,\\n`BLAKE2b`, `SHAKE128`, `SHAKE256` algorithms.\\n</code></pre>\\n<p>In response, the developer should use the correct SHA algorithm to protect against potential cipher attacks.</p>\n<pre><code class=\\"lang-\\">from Crypto.Protocol.KDF import PBKDF2\\nfrom Crypto.Hash import SHA512\\n\\ndef risky_crypto_algorithm(password):\\nsalt = get_random_bytes(16)\\nkeys = PBKDF2(password, salt, 64, count=1000000,\\nhmac_hash_module=SHA512)\\n</code></pre>\\n<p>This modified example uses high strength SHA512 algorithm.</p>\n<h3><a id=\\"Conclusion_154\\"></a><strong>Conclusion</strong></h3>\\n<p>This post reviewed Amazon CodeGuru Reviewer security detectors and how they automatically check your code for vulnerabilities and provide actionable recommendations in code reviews. We covered new capabilities for detecting issues in Python applications, as well as additional security features from Bandit and Infer. Together CodeGuru Reviewer’s security features provide a scalable approach for customers embracing DevSecOps, a mechanism that requires automation to address security issues earlier in the software development lifecycle. CodeGuru automates detection and helps prevent hard-to-find security vulnerabilities, accelerating DevSecOps processes for application development workflow.</p>\n<p>You can get started from the <a href=\\"https://console.aws.amazon.com/codeguru/home\\" target=\\"_blank\\">CodeGuru console</a> by running a full repository scan or integrating CodeGuru Reviewer with your supported CI/CD pipeline. Code analysis from Infer and Bandit is included as part of the standard CodeGuru Reviewer service.</p>\\n<p>For more details on how to get started, visit the <a href=\\"https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/welcome.html\\" target=\\"_blank\\">documentation</a>.</p>\n"}