In this talk I will compare 2 services which aim at automatically identifing critical issues, security vulnerabilities, and hard-to-find bugs during application development: Amazon CodeGuru and SonarQube from the perspective of the Java developer on AWS. Amazon CodeGuru Reviewer uses ML and automated reasoning to provide recommendations to developers on how to fix issues to improve code quality and dramatically reduce the time it takes to fix bugs before they reach customer-facing applications and result in a bad experience. SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities
Amazon CodeGuru vs SonarQube for Java Developers at JCon 2022
1. Amazon CodeGuru vs SonarQube for Java Developers on
Vadym Kazulkin, ip.labs, JCON, 22 September 2022
2. Contact
Vadym Kazulkin
ip.labs GmbH Bonn, Germany
Co-Organizer of the Java User Group Bonn
v.kazulkin@gmail.com
@VKazulkin
https://www.linkedin.com/in/vadymkazulkin
https://www.iplabs.de/
5. What is AWS CodeGuru
Amazon CodeGuru is a developer tool that provides intelligent
recommendations to improve code quality and identify an
application’s most expensive lines of code
• CodeGuru Reviewer uses machine learning and automated
reasoning to identify critical issues, security vulnerabilities,
and hard-to-find bugs during application development and
provides recommendations to improve code quality
• CodeGuru Profiler helps developers find an application’s
most expensive lines of code by helping them understand
the runtime behavior of their applications, identify and
remove code inefficiencies and improve performance
https://aws.amazon.com/codeguru
14. CodeGuru Reviewer Recommendation
The recommendations for Java fall into the following categories:
• AWS best practices
• Security
• Resource leaks
• Concurrency
• Integration with Infer (https://fbinfer.com/)
• detect null pointer dereferences, thread safety violations
and improper use of synchronization locks
• General best practices on data structures, control flow,
exception handling, and more
https://aws.amazon.com/de/blogs/devops/improving-aws-java-applications-with-amazon-codeguru-reviewer/
16. What's different between the AWS SDK for Java
1.x and 2.x
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/migration-whats-different.html
35. CodeGuru vs SonarQube
• CodeGuru currently support only 2 languages vs SonarQube
supporting 20+
• CodeGuru is much powerful in detecting AWS best practices
(including AWS security best practices)
• SonarQube is much more powerful detecting common Java
issues
• SonarQube is better at detecting OWASP Top 10-related
issues
• See dependency-check https://owasp.org/www-project-
dependency-check/ with Maven and Gradle plugins
36. CodeGuru vs SonarQube
• Code Repositories
• CodeGuru
• SonarQube
• CI Integration
• CodeGuru
• SonarQube
37. CodeGuru vs SonarQube
• SonarQube plugin eco system is much more powerful
• SonarLint alternative on the CodeGuru side is currently
missing
• Use CodeGuru in conjunction with SonarQube