Language support for code reviews with \/review<\/h4>\n
Amazon Q can create\u00a0code reviews<\/a>\u00a0and provide automatic code fixes for files and projects written in the following languages:<\/p>\n <\/li>\n<\/ul>\n Also, in the list if the current supported languages is Java, but not Groovy<\/p>\n<\/div>\n First, you will need a GitHub account, a repository, and an Amazon Q Account.<\/p>\n Add the Amazon Q App to your GitHub account:<\/p>\n Go to settings (menu under your profile), then Applications:<\/p>\n Visit the Github Marketplace<\/a> in Applications and install Amazon Q Developer:<\/p>\n When you install, it should be for Free.\u00a0 It asks for a billing address — but don’t need a card or anything.\u00a0 You can also choose all or just particular repositories for Q access.<\/p>\n Q App should now be installed in your GitHub.<\/p>\n <\/p>\n Next connect the GitHub in Amazon Q Developer.\u00a0 Log in and go to Amazon Q Developer, then click into the GitHub portion to Register Installations.<\/p>\n Authorize Q, then Register.\u00a0 You’ll get a confirmation.<\/p>\n Now everything is connected, and it’s time to do a code review.<\/p>\n You can go out to an AI (Gemini in this case) and generate some bad code test files.\u00a0 I generated two — one for Groovy, and one for Java.\u00a0 SOme of the project I am on now is Groovy and the Amazon reps said it would work even though as of this date Groovy is not a supported language for Q.<\/p>\n <\/p>\n The prompts:<\/p>\n Here are the groovy and java test files to look at (printed as pdf):<\/p>\n badcode.groovy<\/a> badcode.java<\/a><\/p>\n These files have errors in them, which AWS should catch.\u00a0 I am not going to do an in-depthstudy of which errors it might see, just if the review works, and decorates, the code in GitHub or not.<\/p>\n <\/p>\n Isn’t AI great? you don’t even need to hire a real developer to get bad code.<\/p>\n <\/p>\n Here is a list of things that are wrong in these files, from Gemini.<\/p>\n Bad Groovy:<\/p>\n Bad Java:<\/p>\n <\/p>\n In my repository I have two branches, one for groovy and one for java, I’ll pull separate PRs and then wait for Q’s code review.<\/p>\n Java PR:<\/p>\n Groovy PR: Q is thinking about the review:<\/p>\n It takes a little time and here are the results for Java, which is finds many issues (more than listed here):<\/p>\n But with Groovy, an unsupported language, finds nothing:<\/p>\n\n
\n
![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-27-at-1.16.31\u202fPM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-27-at-1.27.52\u202fPM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-27-at-1.37.51\u202fPM.png\")
<\/a><\/p>\n\n
Security Issues<\/b><\/h3>\n
\n
insecureMethod()<\/code> concatenates user input directly into a shell command, which can allow an attacker to execute arbitrary commands.<\/li>\nvulnerableSql()<\/code> method builds a SQL query string by concatenating data, leaving it open to SQL injection attacks.<\/li>\ninsecureFileAccess()<\/code> method uses user input to access a file path without proper validation, which could allow an attacker to read sensitive files outside of the intended directory.<\/li>\n<\/ul>\nSyntax and Style Issues<\/b><\/h3>\n
\n
reutrn<\/code> keyword is misspelled, which will cause a compilation error.<\/li>\nprintln<\/code> statement, which will also cause a compilation error.<\/li>\nif (flag == true)<\/code> statement is redundant. A more concise and idiomatic Groovy style would be if (flag)<\/code>.<\/li>\nunusedVariable<\/code> is declared but never used, which is a common code smell that a good code review should identify.<\/li>\n<\/ul>\nSecurity Issues<\/b><\/h3>\n
\n
insecureMethod()<\/code> concatenates user input into a shell command using Runtime.getRuntime().exec()<\/code>. This is a classic command injection<\/b> vulnerability, as an attacker could provide input that executes malicious commands on the system.<\/li>\nvulnerableSql()<\/code> method builds a SQL query string by directly concatenating an int<\/code> and String<\/code> into the query. This leaves the application open to SQL injection<\/b> attacks, where an attacker could manipulate the query to gain unauthorized access to data.<\/li>\ninsecureFileAccess()<\/code> method uses a user-controlled path to create a File<\/code> object. Without proper validation, this is a directory traversal<\/b> vulnerability, allowing an attacker to access sensitive files outside the intended directory, such as \/etc\/passwd<\/code>.<\/li>\n<\/ul>\nSyntax and Style Issues<\/b><\/h3>\n
\n
reutrn<\/code>), and unmatched parentheses will cause the program to fail to compile, which is a major red flag in a code review.<\/li>\nflag == true<\/code> is redundant and considered bad practice in Java. A more idiomatic and concise style is simply if (flag)<\/code>. This is a common style issue<\/b> that a good code review should catch.<\/li>\nunusedVariable<\/code> is declared but never used. Most IDEs and compilers will issue a warning about this, as it indicates potentially dead code or a mistake. This is also a key code smell<\/b> to identify during a review.<\/li>\n<\/ul>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.09.26\u202fAM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.11.28\u202fAM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.12.31\u202fAM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.10.59\u202fAM.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.15.06\u202fAM.png\")
<\/a> ![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.15.15\u202fAM.png\")
<\/a><\/p>\n
![\"\"](\"http:\/\/10kdev.net\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-28-at-11.15.50\u202fAM.png\")
<\/a><\/p>\n