In this talk I will compare 2 services which aim at automatically identifing critical issues, security vulnerabilities, and hard-to-find bugs during application development: Amazon CodeGuru and SonarQube from the perspective of the Java developer on AWS. Amazon CodeGuru Reviewer uses ML and automated reasoning to provide recommendations to developers on how to fix issues to improve code quality and dramatically reduce the time it takes to fix bugs before they reach customer-facing applications and result in a bad experience. SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities

1. Amazon CodeGuru vs SonarQube for Java Developers on
Vadym Kazulkin, ip.labs, JCON, 22 September 2022

2. Contact
Vadym Kazulkin
ip.labs GmbH Bonn, Germany
Co-Organizer of the Java User Group Bonn
v.kazulkin@gmail.com
@VKazulkin
https://www.linkedin.com/in/vadymkazulkin
https://www.iplabs.de/

3. ip.labs
https://www.iplabs.de/

4. AWS CodeGuru

5. What is AWS CodeGuru
Amazon CodeGuru is a developer tool that provides intelligent
recommendations to improve code quality and identify an
application’s most expensive lines of code
• CodeGuru Reviewer uses machine learning and automated
reasoning to identify critical issues, security vulnerabilities,
and hard-to-find bugs during application development and
provides recommendations to improve code quality
• CodeGuru Profiler helps developers find an application’s
most expensive lines of code by helping them understand
the runtime behavior of their applications, identify and
remove code inefficiencies and improve performance
https://aws.amazon.com/codeguru

6. How CodeGuru work
https://aws.amazon.com/codeguru

7. Automated reasoning's scientific frontiers
https://www.amazon.science/blog/automated-reasonings-scientific-frontiers

8. CodeGuru Programming Language Support
• Java
• Python

9. CodeGuru
CodeGuru Reviewer in Java

10. CodeGuru Setup

11. CodeGuru Setup

12. CodeGuru Reviewer Scans
• Full repository analysis
• Incremental code reviews (pull requests)

13. Java Code for CodeGuru Analysis

14. CodeGuru Reviewer Recommendation
The recommendations for Java fall into the following categories:
• AWS best practices
• Security
• Resource leaks
• Concurrency
• Integration with Infer (https://fbinfer.com/)
• detect null pointer dereferences, thread safety violations
and improper use of synchronization locks
• General best practices on data structures, control flow,
exception handling, and more
https://aws.amazon.com/de/blogs/devops/improving-aws-java-applications-with-amazon-codeguru-reviewer/

15. CodeGuru Review Full Repository Analysis

16. What's different between the AWS SDK for Java
1.x and 2.x
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/migration-whats-different.html

17. CodeGuru Review AWS Best Practices with
Java SDK V1

18. CodeGuru Review AWS Best Practices with
Java SDK V1

19. CodeGuru Review AWS Best Practices with
Java SDK V1

20. CodeGuru Review AWS Best Practices with
Java SDK V1

21. CodeGuru Review AWS Best Practices with
Java SDK V2

22. CodeGuru Review other AWS Best Practices

23. CodeGuru Review Concurrency

24. CodeGuru Review Concurrency

25. CodeGuru Review Resource Leak

26. CodeGuru Review Security

27. CodeGuru Review Security

28. CodeGuru Review Security

29. CodeGuru Incremental Review
Occurs automatically when creating a pull request with CodeGuru associated
with CodeCommit repository

30. CodeGuru Review Expected, but No Findings
https://aws.amazon.com/de/blogs/devops/tightening-application-security-with-amazon-codeguru/

31. CodeGuru Reviewer AWS CI/CD Integration

32. CodeGuru Reviewer CI/CD Integration
For CodeBuild add to buildspec.yaml
pre_build:
commands:
- pip3 install awscli --upgrade --user
- export TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION}
- aws codeguru-reviewer create-code-review --name your-
codeguru-review-name$TAG
--repository-association-arn arn:aws:codeguru-
reviewer:eu-central-1:your-codeguru-arn
--type
RepositoryAnalysis={RepositoryHead={BranchName=main}}

33. CodeGuru Reviewer GitHub CI/CD Integration
https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-codeguru-reviewer-announces-ci-cd-integration-github-actions-new-security-detectors-for-java/?nc1=h_ls

34. CodeGuru vs SonarQube

35. CodeGuru vs SonarQube
• CodeGuru currently support only 2 languages vs SonarQube
supporting 20+
• CodeGuru is much powerful in detecting AWS best practices
(including AWS security best practices)
• SonarQube is much more powerful detecting common Java
issues
• SonarQube is better at detecting OWASP Top 10-related
issues
• See dependency-check https://owasp.org/www-project-
dependency-check/ with Maven and Gradle plugins

36. CodeGuru vs SonarQube
• Code Repositories
• CodeGuru
• SonarQube
• CI Integration
• CodeGuru
• SonarQube

37. CodeGuru vs SonarQube
• SonarQube plugin eco system is much more powerful
• SonarLint alternative on the CodeGuru side is currently
missing
• Use CodeGuru in conjunction with SonarQube

39. www.iplabs.de
Accelerate Your Photo Business
Get in Touch