The Cloud-native Platform, Sonatype Lift, Enables Developers To Find And Fix Performance, Reliability, And Security Bugs By Automatically Analyzing Pull Requests And Delivering Results As Comments In Code Review
Sonatype, the leader in developer-friendly tools for software supply chain automation and security, unveils Sonatype Lift (Lift), a first-of-its-kind, cloud-native, deep code analysis platform. Lift installs easily on any source repository in minutes and provides developer-friendly feedback on a wide range of bug types, ranging from lightweight style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.
Recommended ITech News: Amartus Launches nBrace 3.0 to Automate Inter-Provider Service Agreements for Emerging SD-WAN
In the past year cyber attacks have increased exponentially, as bad actors increasingly go after software supply chains to exploit vulnerabilities in commercial and open source code — evidenced in the SolarWinds and Codecov incidents. Even the world’s largest companies aren’t immune to software quality defects inadvertently reaching production. Apple recently reported critical vulnerabilities in its Webkit browser SDK and its iOS Kernel. As code quality issues increasingly become security issues, developers and security teams need to work together to ensure code is both reliable and secure. Further, as the recent Fastly outage demonstrated, innocent coding errors can cause as much damage as cyber attacks intentionally perpetrated by malicious actors.
Deep Code Analysis. Easy for Developers. Trusted by Security.
Created to make developers’ and security teams’ lives easier, Lift fosters collaboration between the two, providing a unified code analysis pipeline that brings 26+ tools across 11 languages to catch a wide range of bug types. Because Lift’s results are reported in code review, developers and security engineers can collaborate on how best (or whether) to fix reported issues. With reporting during the peer review window proven to dramatically improve fix rates, Lift’s ability to provide insights at this critical point will be instrumental in improving code quality.
This is the first code quality solution to bring the proven methods and technologies from Facebook (Infer) and Google (ErrorProne), and deliver them as a commercial platform. The unique way in which Lift works overcomes the challenges of conventional code analysis tools by making installation and configuration quick and easy, and leverages developer feedback to continuously improve results over time. By focusing on high-confidence bugs, Lift builds developer trust and ensures that when it does report, developers pay attention and fix the issues.
Recommended ITech News: Wipro Expands Partnership With Levi Strauss & Co. To Support Digital Commerce
Lift catches not just issues in the code developers write, but also in the open source libraries they rely upon by pulling software composition analysis data from Sonatype’s OSS Index to report vulnerable open source libraries as comments in code review.
“Developers are increasingly responsible for ensuring their code is both secure and high-quality. Typical code quality tools are limited to per-file analysis and don’t catch bugs that traverse files. While SAST tools do, they are security-focused and run by security teams. We built Lift to provide developers deep code analysis focused on catching performance and reliability bugs that can lead to critical vulnerabilities similar to those increasingly exploited in recent attacks,” said Brian Fox, Sonatype co-Founder and CTO. “And, we have done it in a way that helps developers fix more bugs, without slowing them down or requiring them to switch contexts.”
Strengthening the Developer and Open Source Communities
Lift will be free forever for public repositories and serves open source maintainers by helping secure the software supply chain at its source. Sonatype’s long standing commitment to supporting the world’s open source community began as a core contributor to Apache Maven and continues with its stewardship of the Maven Central Repository, free developers tools including its OSS vulnerability database, and being an active member of the OpenSSF Foundation.
Recommended ITech News: HQS And CQC Will Combine To Form World’s Largest, Most Advanced Quantum Business
