Hello Python developers,
We extended our support of AWS Lambdas analysis to Python and SonarCloud is now able to detect injection vulnerabilities in Lambdas written in Python. This works if the Lambdas are configured using SAM / CloudFormation or Serverless .
In the following example, the Serverless configuration file declares an AWS Lambda that will invoke the function handler.test1:
service: myservice
frameworkVersion: '2'
provider:
name: aws
runtime: python3.6
lambdaHashingVersion: 20201221
package:
individually: true
plugins:
- serverless-python-requirements
functions:
test1:
handler: handler.test1
events:
- http:
path: /test1
method: get
SonarCloud determine that `hanlder.test1" will be invoked by the Lambda and that malicious inputs can reach it and raise a Vulnerability issue:
Note: this feature works if the Python code is in a file, which implies that Python code declared in InlineCode field are not considered by the analyzer.
This change is available on SonarCloud now and will be included in SonarQube Developer Edition 9.2.
Alex