AWS's AI code reviewer now spots Log4Shell-like bugs in Java and Python code

Amazon Web Services' automated code review helps developers find serious security issues in Java and Python applications.
Written by Liam Tung, Contributing Writer

Amazon Web Services (AWS) has updated the 'detectors' in its CodeGuru Reviewer tool to seek out log injection flaws like the recently disclosed Log4Shell bug in the popular Java logging library Log4J.

The critical Log4J bugs, collectively dubbed Log4Shell after their disclosure in December, jolted the tech industry and end-user organizations into mass remediation efforts that may have averted major attacks to date, but are expected to lurk in systems for years.

At the time, AWS released several tools to help customers protect resources, such as new web application firewall rules, and updates to its Inspector tool to detect the vulnerability in EC2 VM instances.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

AWS has now announced two new features for CodeGuru Reviewer, AWS's scanner that uses machine learning to check code during reviews for bugs and to suggest improvements for security issues. The tool aims to improve code reviews in the context of continuous integration and development (CI/CD) processes for developers with code. After developers commit code to say, GitHub or Bitbucket, they can add CodeGuru Reviewer as a code reviewer.

The new features help flesh out the service's security checks. Last year, it added the CodeGuru Reviewer Secrets Detector, which detects risky hardcoded secrets in source code and configuration files for Java and Python applications, like passwords and API access keys.

The brand-new features for CodeGuru Review are a new Detector Library for several common security flaws affecting Java and Python web applications, as well as several new security detectors specifically aimed at Log4Shell-like log injection flaws.

The Detector Library contains a list of several detectors for various flaws common to Java and Python programming, such as unauthenticated LDAP requests in Java code. It offers details about each security issue, their severity and impact on an application, and one case of non-compliant and compliant code for each issue. The library currently contains 91 Java detectors and 69 Python detectors.

AWS notes that CodeGuru "uses machine learning and automated reasoning" to identify possible issues, so each detector can find a range of defects on top of the example on the detector's description page.

In response to Log4Shell, AWS introduced a more general detector for similar flaws that check if developers are logging data that "is not sanitized and possibly executable". 

If it finds an example of such code, it warns that "user-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors." It then provides examples of non-compliant and compliant code. 

"These detectors work with Java and Python code and, for Java, are not limited to the Log4j library," AWS notes. 

"They don't work by looking at the version of the libraries you use, but check what you are actually logging. In this way, they can protect you if similar bugs happen in the future."

The service comes at a cost, but might help alleviate issues for organizations facing developer or security skills shortages. 

The new features are available where CodeGuru Reviewer is available, which includes select US, Europe and Asia Pacific AWS regions. Pricing for CodeGuru Reviewer starts at $10 a month for the first 100,000 lines of code in onboarded repositories, and charges $30 a month for each additional 100,000 lines of code.  

Editorial standards