Sonatype Lift integrates Facebook Infer, Google ErrorProne and other code analyzers
The recently launched Sonatype Lift provides a unified code analysis platform that includes more than 25 tools to help developers identify a wide range of bugs in their development pipelines as early as possible, says Sonatype.
Sonatype Lift integrates with GitHub, GitLab and BitBucket to report the results of its analysis in the peer code reviews attached to pull requests. This behavior is critical for the effectiveness of Sonatype Lift, explains Sonatype, as peer review has been shown to improve bug fix rates by 70 times.
In addition to analyzing your own code base, Sonatype Lift also filters out any open source dependencies you rely on by extracting Software Composition (SCA) data from [Sonatype’s OSS INDEX](Sonatype OSS Index](https://ossindex.sonatype.org) This allows Lift to flag vulnerable open source libraries and include them as comments in code reviews.
InfoQ spoke with Stephen Magill, Vice President of Product Innovation at Sonatype, to find out more.
InfoQ: Sonatype Lift integrates with the main code hosting platforms. How does it compare to the functionality provided by these platforms to help developers find bugs and vulnerabilities? What additional benefit can development teams hope to gain from adopting Sonatype Lift?
Magill: Compared to native solutions, Sonatype Lift provides broader analysis, deeper intelligence, and more scalable options, when it comes to helping developers detect bugs and vulnerabilities. Sonatype Lift reports a wider range of issues and goes beyond simple linting to reveal subtle, high-impact errors that span files such as thread safety issues and resource leaks.
DevSecOps and ShiftLeft are increasingly popular with software development teams. Detecting bugs and vulnerabilities as early as possible is essential to improving the security of a system. Can you comment on the current context of software security?
Magill: Sonatype Lift is based on the principle of shifting code analysis to the left and bringing security into the developer’s workflow, so these terms apply perfectly. Lift is all about finding and fixing bugs of all kinds, including security, as early as possible, and in a way that makes it easier for developers to fix. We believe that the right interaction with developers is an important part of effective efforts to shift left, and one of Lift’s main goals is to present the right results (bugs developers care about), at the right time (right after). writing the code) and in the correct context (presented as comments in the code review). This combination has been shown to increase bug fixing rates without affecting development speed.
Lift is designed for developers and therefore focuses on low false positive rates and highlighting errors that are easy for developers to sort out and correct. Lift is not intended to replace static application security testing or security-specific analysis tools, which are designed for security teams who have the time, expertise and desire to conduct a review. more in-depth version of code. Rather, Lift complements the SAST tools by revealing a subset of highly reliable security issues that can be fixed early in the process, giving developers higher quality code and fewer issues later in the SDLC. This makes SAST tools more valuable, as it allows security teams to focus on the complex and possibly subtle issues that remain.
InfoQ: What other areas of the software supply chain does Sonatype cover with its product line?
Magill: Sonatype addresses the entire software supply chain. Our mission is to give developers full control of their software development lifecycle with tools for third-party open source code, proprietary source code, infrastructure as code (IaC), and containerized code. Our Nexus platform is widely used in Fortune 1000 enterprises and aims to help developers manage open source risks, so they can build better software, faster. The platform includes one of the most popular artifact repositories – Nexus Repository – and a premier software composition analysis duo of Nexus Lifecycle and Nexus Firewall. We are especially proud of a new early warning detection system that leverages machine learning, AI and behavior analysis to identify potentially malicious and suspicious open source components and prevent them from being released. enter someone’s SDLC.
InfoQ: What is on Sonatype Lift’s roadmap? How will the product evolve in the near future?
Magill: It’s always a difficult balance to provide a breadth and depth strategy for code quality, but we’re excited about the direction Sonatype Lift is taking and believe we can do both. There are many different ecosystems where developers write code and we are only scratching the surface. This is the most important area we are focusing on – expansion.
We continue to add new tools to cover more languages and bug categories, allowing any development team to take advantage of the platform whether or not they are working on a line of business application in a language. running, develop deployment and infrastructure scripts, or by iterating on data science notebooks.
We will also be adding new repository hosts to make Lift available to more developers. We will continue to develop our metrics and learning capabilities to improve results and help teams improve the quality of their code and the effectiveness of their development. And finally, we will integrate capabilities between Lift and Nexus to further enhance the information and capabilities of customers running the full suite of Sonatype products.
We plan to leverage Sonatype’s years of experience supporting enterprise-wide software security practices to bring new advanced features to Lift customers, such as insightful reporting, remedial recommendations. and robust integration with other services.
Sonatype Lift is free for public deposits and provides a premium level for private deposits.