Post Syndicated from Nikunj Vaidya original https://aws.amazon.com/blogs/devops/incorporating-security-in-code-reviews-using-amazon-codeguru-reviewer/
Today, software development practices are constantly evolving to empower developers with tools to maintain a high bar of code quality. Amazon CodeGuru Reviewer offers this capability by carrying out automated code-reviews for developers, based on the trained machine learning models that can detect complex defects and providing intelligent actionable recommendations to mitigate those defects. A quick overview of CodeGuru is covered in this blog post.
Security analysis is a critical part of a code review and CodeGuru Reviewer offers this capability with a new set of security detectors. These security detectors introduced in CodeGuru Reviewer are geared towards identifying security risks from the top 10 OWASP categories and ensures that your code follows best practices for AWS Key Management Service (AWS KMS), Amazon Elastic Compute Cloud (Amazon EC2) API, and common Java crypto and TLS/SSL libraries. As of today, CodeGuru security analysis supports Java language, thus we will take an example of a Java application.
In this post, we will walk through the on-boarding workflow to carry out the security analysis of the code repository and generate recommendations for a Java application.
Security workflow overview:
The new security workflow, introduced for CodeGuru reviewer, utilizes the source code and build artifacts to generate recommendations. The security detector evaluates build artifacts to generate security-related recommendations whereas other detectors continue to scan the source code to generate recommendations. With the use of build artifacts for evaluation, the detector can carry out a whole-program inter-procedural analysis to discover issues that are caused across your code (e.g., hardcoded credentials in one file that are passed to an API in another) and can reduce false-positives by checking if an execution path is valid or not. You must provide the source code .zip file as well as the build artifact .zip file for a complete analysis.
Customers can run a security scan when they create a repository analysis. CodeGuru Reviewer provides an additional option to get both code and security recommendations. As explained in the following sections, CodeGuru Reviewer will create an Amazon Simple Storage Service (Amazon S3) bucket in your AWS account for that region to upload or copy your source code and build artifacts for the analysis. This repository analysis option can be run on Java code from any repository.
Prerequisites
Prepare the source code and artifact zip files: If you do not have your Java code locally, download the source code that you want to evaluate for security and zip it. Similarly, if needed, download the build artifact .jar file for your source code and zip it. It will be required to upload the source code and build artifact as separate .zip files as per the instructions in subsequent sections. Thus even if it is a single file (eg. single .jar file), you will still need to zip it. Even if the .zip file includes multiple files, the right files will be discovered and analyzed by CodeGuru. For our sample test, we will use src.zip and jar.zip file, saved locally.
Creating an S3 bucket repository association:
This section summarizes the high-level steps to create the association of your S3 bucket repository.
1. On the CodeGuru console, choose Code reviews.
2. On the Repository analysis tab, choose Create repository analysis.
Figure: Screenshot of initiating the repository analysis
3. For the source code analysis, select Code and security recommendations.
4. For Repository name, enter a name for your repository.
5. Under Additional settings, for Code review name, enter a name for trackability purposes.
6. Choose Create S3 bucket and associate.
Figure: Screenshot to show selection of Security Code Analysis
It takes a few seconds to create a new S3 bucket in the current Region. When it completes, you will see the below screen.
Figure: Screenshot for Create repository analysis showing S3 bucket created
7. Choose Upload to the S3 bucket option and under that choose Upload source code zip file and select the zip file (src.zip) from your local machine to upload.
Figure: Screenshot of popup to upload code and artifacts from S3 bucket
8. Similarly, choose Upload build artifacts zip file and select the zip file (jar.zip) from your local machine and upload.
Figure: Screenshot for Create repository analysis showing S3 paths populated
Alternatively, you can always upload the source code and build artifacts as zip file from any of your existing S3 bucket as below.
9. Choose Browse S3 buckets for existing artifacts and upload from there as shown below:
Figure: Screenshot to upload code and artifacts from an existing S3 bucket
10. Now click Create repository analysis and trigger the code review.
A new pending entry is created as shown below.
Figure: Screenshot of code review in Pending state
After a few minutes, you would see the recommendations generate that would include security analysis too. In the below case, there are 10 recommendations generated.
Figure: Screenshot of repository analysis being completed
For the subsequent code reviews, you can use the same repository and upload new files or create a new repository as shown below:
Figure: Screenshot of subsequent code review making repository selection
Recommendations
Apart from detecting the security risks from the top 10 OWASP categories, the security detector, detects the deep security issues by analyzing data flow across multiple methods, procedures, and files.
The recommendations generated in the area of security are labelled as Security. In the below example we see a recommendation to remove hard-coded credentials and a non-security-related recommendation about refactoring of code for better maintainability.
Figure: Screenshot of Recommendations generated
Below is another example of recommendations pointing out the potential resource-leak as well as a security issue pointing to a potential risk of path traversal attack.
Figure: More examples of deep security recommendations
As this blog is focused on on-boarding aspects, we will cover the explanation of recommendations in more detail in a separate blog.
Disassociation of Repository (optional):
The association of CodeGuru to the S3 bucket repository can be removed by following below steps. Navigate to the Repositories page, select the repository and choose Disassociate repository.
Figure: Screenshot of disassociating the S3 bucket repo with CodeGuru
Conclusion
This post reviewed the support for on-boarding workflow to carry out the security analysis in CodeGuru Reviewer. We initiated a full repository analysis for the Java code using a separate UI workflow and generated recommendations.
We hope this post was useful and would enable you to conduct code analysis using Amazon CodeGuru Reviewer.
About the Author
Nikunj Vaidya is a Sr. Solutions Architect with Amazon Web Services, focusing in the area of DevOps services. He builds technical content for the field enablement and offers technical guidance to the customers on AWS DevOps solutions and services that would streamline the application development process, accelerate application delivery, and enable maintaining a high bar of software quality.