Download to read offline
Amazon CodeGuru vs SonarQube for Java Developers at JCon 2022
- 1. Amazon CodeGuru vsSonarQube for Java Developers on Vadym Kazulkin, ip.labs, JCON, 22 September 2022
- 2. Contact Vadym Kazulkin ip.labs GmbHBonn, Germany Co-Organizer of the Java User Group Bonn v.kazulkin@gmail.com @VKazulkin https://www.linkedin.com/in/vadymkazulkin https://www.iplabs.de/
- 3.
- 4.
- 5. What is AWSCodeGuru Amazon CodeGuru is a developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code • CodeGuru Reviewer uses machine learning and automated reasoning to identify critical issues, security vulnerabilities, and hard-to-find bugs during application development and provides recommendations to improve code quality • CodeGuru Profiler helps developers find an application’s most expensive lines of code by helping them understand the runtime behavior of their applications, identify and remove code inefficiencies and improve performance https://aws.amazon.com/codeguru
- 6.
- 7. Automated reasoning's scientificfrontiers https://www.amazon.science/blog/automated-reasonings-scientific-frontiers
- 8. CodeGuru Programming LanguageSupport • Java • Python
- 9.
- 10.
- 11.
- 12. CodeGuru Reviewer Scans •Full repository analysis • Incremental code reviews (pull requests)
- 13. Java Code forCodeGuru Analysis
- 14. CodeGuru Reviewer Recommendation Therecommendations for Java fall into the following categories: • AWS best practices • Security • Resource leaks • Concurrency • Integration with Infer (https://fbinfer.com/) • detect null pointer dereferences, thread safety violations and improper use of synchronization locks • General best practices on data structures, control flow, exception handling, and more https://aws.amazon.com/de/blogs/devops/improving-aws-java-applications-with-amazon-codeguru-reviewer/
- 15. CodeGuru Review FullRepository Analysis
- 16. What's different betweenthe AWS SDK for Java 1.x and 2.x https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/migration-whats-different.html
- 17. CodeGuru Review AWSBest Practices with Java SDK V1
- 18. CodeGuru Review AWSBest Practices with Java SDK V1
- 19. CodeGuru Review AWSBest Practices with Java SDK V1
- 20. CodeGuru Review AWSBest Practices with Java SDK V1
- 21. CodeGuru Review AWSBest Practices with Java SDK V2
- 22. CodeGuru Review otherAWS Best Practices
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29. CodeGuru Incremental Review Occursautomatically when creating a pull request with CodeGuru associated with CodeCommit repository
- 30. CodeGuru Review Expected,but No Findings https://aws.amazon.com/de/blogs/devops/tightening-application-security-with-amazon-codeguru/
- 31. CodeGuru Reviewer AWSCI/CD Integration
- 32. CodeGuru Reviewer CI/CDIntegration For CodeBuild add to buildspec.yaml pre_build: commands: - pip3 install awscli --upgrade --user - export TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION} - aws codeguru-reviewer create-code-review --name your- codeguru-review-name$TAG --repository-association-arn arn:aws:codeguru- reviewer:eu-central-1:your-codeguru-arn --type RepositoryAnalysis={RepositoryHead={BranchName=main}}
- 33. CodeGuru Reviewer GitHubCI/CD Integration https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-codeguru-reviewer-announces-ci-cd-integration-github-actions-new-security-detectors-for-java/?nc1=h_ls
- 34.
- 35. CodeGuru vs SonarQube •CodeGuru currently support only 2 languages vs SonarQube supporting 20+ • CodeGuru is much powerful in detecting AWS best practices (including AWS security best practices) • SonarQube is much more powerful detecting common Java issues • SonarQube is better at detecting OWASP Top 10-related issues • See dependency-check https://owasp.org/www-project- dependency-check/ with Maven and Gradle plugins
- 36. CodeGuru vs SonarQube •Code Repositories • CodeGuru • SonarQube • CI Integration • CodeGuru • SonarQube
- 37. CodeGuru vs SonarQube •SonarQube plugin eco system is much more powerful • SonarLint alternative on the CodeGuru side is currently missing • Use CodeGuru in conjunction with SonarQube
- 39. www.iplabs.de Accelerate Your PhotoBusiness Get in Touch