Sonatype Lift aims to elevate ‘pull request’ analysis

Software supply chain automation is a perhaps un-loved sub-genre of the total information technology landscape.

But this harsh reality is not so at Maryland-based Sonatype, the company that likes to style itself as the ‘developer-friendly tools’ operation positively specialises in software supply chain automation and security.

Not to be confused with the brand of instant lemon tea by the same name, Sonatype this season introduced its Lift cloud-native, deep code analysis platform.

Sonatype Lift, enables developers to find and fix performance, reliability and security bugs by automatically analysing pull requests and delivering results as comments in code review

Lift installs on any source repository and provides feedback on a wide range of bug types, ranging from lightweight style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

In the past year cyber attacks have increased exponentially, as bad actors increasingly go after software supply chains to exploit vulnerabilities in commercial and open source code — evidenced in the SolarWinds and Codecov incidents.

As the recent Fastly outage demonstrated, innocent coding errors can cause as much damage as cyber attacks intentionally perpetrated by malicious actors.

Deep code analysis

“Created to make developers’ and security teams’ lives easier, Lift fosters collaboration between the two, providing a code analysis pipeline that brings 26+ tools across 11 languages to catch a wide range of bug types. Because Lift’s results are reported in code review, developers and security engineers can collaborate on how best (or whether) to fix reported issues,” said aid Brian Fox, Sonatype co-founder and CTO.

With reporting during the peer review window proven to improve fix rates, Lift’s ability to provide insights at this point could be instrumental in improving code quality.

Fox explains that this is the first code quality solution to bring methods and technologies from Facebook (Infer) and Google (ErrorProne) and deliver them as a commercial platform.

“The way in which Lift works overcomes the challenges of conventional code analysis tools by making installation and configuration quick and easy, and leverages developer feedback to continuously improve results over time. By focusing on high-confidence bugs, Lift builds developer trust and ensures that when it does report, developers pay attention and fix the issues,” said Fox and team.

Open source suitability

Lift catches not just issues in the code developers write, but also in the open source libraries they rely upon by pulling software composition analysis data from Sonatype’s OSS Index to report vulnerable open source libraries as comments in code review.

“Developers are increasingly responsible for ensuring their code is both secure and high-quality. Typical code quality tools are limited to per-file analysis and don’t catch bugs that traverse files. While SAST tools do, they are security-focused and run by security teams. We built Lift to provide developers deep code analysis focused on catching performance and reliability bugs that can lead to critical vulnerabilities similar to those increasingly exploited in recent attacks,” said Fox.

Lift will be free forever for public repositories and serves open source maintainers by helping secure the software supply chain at its source.

Sonatype’s commitment to supporting open source began as a core contributor to Apache Maven and continues with its stewardship of the Maven Central Repository, free developers tools including its OSS vulnerability database.