SonarCloud detects injection vulnerabilities in your AWS Lambda written in Python

Hello Python developers,

We extended our support of AWS Lambdas analysis to Python and SonarCloud is now able to detect injection vulnerabilities in Lambdas written in Python. This works if the Lambdas are configured using SAM / CloudFormation or Serverless .

In the following example, the Serverless configuration file declares an AWS Lambda that will invoke the function handler.test1:

service: myservice
frameworkVersion: '2'

  name: aws
  runtime: python3.6
  lambdaHashingVersion: 20201221

  individually: true

  - serverless-python-requirements


    handler: handler.test1
      - http:
          path: /test1
          method: get

SonarCloud determine that `hanlder.test1" will be invoked by the Lambda and that malicious inputs can reach it and raise a Vulnerability issue:

Note: this feature works if the Python code is in a file, which implies that Python code declared in InlineCode field are not considered by the analyzer.

This change is available on SonarCloud now and will be included in SonarQube Developer Edition 9.2.


1 Like