Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Sonatype Lift Integrates Facebook Infer, Google ErrorProne, and Other Code Analyzers

Sonatype Lift Integrates Facebook Infer, Google ErrorProne, and Other Code Analyzers

This item in japanese

Recently launched Sonatype Lift provides a unified code analysis platform that includes over 25 tools to help developers identify a wide range of bugs in their development pipelines as soon as possible, says Sonatype.

Sonatype Lift integrates with GitHub, GitLab, and BitBucket to report the results of its analysis in peer code reviews attached to pull requests. This behaviour is key for Sonatype Lift effectiveness, says Sonatype, since peer review has proven to improve bug fix rates by 70x.

Lift includes over 25 tools, including Google ErrorProne, Facebook Infer, and many others, and works with 11 languages, including Java, C/C++, JavaScript, Python, Golang, Ruby, Kotlin, Haskell, and others.

Besides analyzing your own code base, Sonatype Lift also screens open source dependencies you rely upon by pulling software composition (SCA) data from Sonatype’s OSS Index. This makes it possible for Lift to report vulnerable open source libraries and include them as comments in code reviews.

InfoQ has spoken with Stephen Magill, VP of product innovation at Sonatype, to learn more.

InfoQ: Sonatype Lift integrates with the major code hosting platforms. How does it stack against the features those platforms provide to help developers detect bugs and vulnerabilities? What additional benefit can development teams expect to gain with Sonatype Lift adoption?

Stephen Magill: Compared to native solutions, Sonatype Lift provides broader analysis, deeper intelligence and more extensible options, when it comes to helping developers detect bugs and vulnerabilities. Sonatype Lift flags a wider range of issues and also goes beyond simple linting to surface subtle and high-impact errors that span files like thread safety issues and resource leaks.

InfoQ: DevSecOps and ShiftLeft are becoming ever more popular with software development teams. Catching bugs and vulnerabilities as early as possible is key to improving a system's security. Could you comment on the current software security context?

Magill: Sonatype Lift is built on the premise of shifting code analysis left and bringing security into the developer workflow, and so those terms squarely apply. Lift is about finding and fixing bugs of all kinds, including security, as early as possible, and in a manner that makes it easiest for developers to fix. We believe that getting developer interaction right is an important part of effective efforts to shift left and a major focus of Lift is presenting the right results (bugs that developers care about), at the right time (right after the code is written), and in the right context (presented as comments in code review). This combination has been shown to boost bug fix rates without impacting development speed.

Lift is built for developers and so focuses on low false positive rates and highlighting errors that are easy for developers to triage and fix. Lift is not meant to replace Static Application Security Testing or security-specific analysis tools, which are built for security teams that have the time, expertise, and desire to perform a more thorough review of a code release. Rather, Lift complements SAST tools by surfacing a subset of high-confidence security issues that can be fixed early in the process, giving developers higher quality code and fewer issues later on in the SDLC. This actually makes SAST tools more valuable, as it enables security teams to focus on the complex and possibly subtle issues that remain.

InfoQ: What other areas of the software supply chain does Sonatype cater for with its line of products?

Magill: Sonatype caters to the complete software supply chain. Our mission is to give developers full control of their software development lifecycle with tools for third-party open source code, first-party source code, infrastructure as code (IaC), and containerized code. Our Nexus platform is widely used in Fortune 1000 companies and focuses on helping developers manage open source risk, so they can create better software, faster. The platform includes one of the most popular artifact repositories — Nexus Repository — and a best-in-class software composition analysis duo of Nexus Lifecycle and Nexus Firewall. We’re particularly proud of a novel early warning detection system that relies upon machine learning, AI and behavior analysis, to identify potentially malicious and suspicious open source components and prevent them from ever entering someone’s SDLC.

InfoQ: What's on Sonatype Lift roadmap? How will the product evolve in the near future?

Magill: It’s always a difficult balance to provide a breadth and depth strategy to code quality, but we’re excited about where Sonatype Lift is going and think we can do both. There are many different ecosystems developers write code in and we’re just scratching the surface. That’s the biggest area we’re focused on - expansion.

We’re continuing to add new tools to cover more languages and bug categories, enabling any development team to get value from the platform, regardless of whether they are working on a line of business application in a mainstream language, developing deployment and infrastructure scripts, or iterating on data science notebooks.

We’ll also be adding new repository hosts to make Lift available to more developers. We’ll continue to develop our metrics and learning capabilities to improve results and help teams improve their code quality and development efficiency. And lastly, we’ll be integrating capabilities between Lift and Nexus to further improve insights and capabilities for customers who run the full suite of Sonatype’s product.

We plan on leveraging the years of experience Sonatype has in supporting software security practices at enterprise scale to bring new advanced capabilities to Lift customers like insightful reporting, remediation recommendations, and robust integration with other services.

Sonatype Lift is free for public repositories and provides a premium tier for private repos.

Rate this Article