Software supply chain automation is a perhaps unloved subgenre of the entire IT landscape.
But this harsh reality is not the same in Maryland Sonatype, the company that likes to advertise itself as the ‘developer friendly tools’ operation positively specializes in software supply chain automation and security.
Not to be confused with the brand of instant lemon tea of the same name, Sonatype this season presented its in-depth, cloud-native code analysis platform, Lift.
Sonatype Lift, allows developers to find and correct performance, reliability and security bugs by automatically analyzing extraction requests and providing the results as comments in the code review
Lift installs on any source repository and provides feedback on a wide range of bug types, from lightweight styling issues to complex coding errors commonly found in proprietary source code and third-party open source libraries.
Over the past year, cyber attacks have grown exponentially, with malicious actors increasingly attacking software supply chains to exploit vulnerabilities in source and commercial code, as evidenced by the Solar winds and Codecov incidents.
Like the recent Rapid failure demonstrated, innocent coding errors can cause as much damage as cyber attacks intentionally carried out by malicious actors.
Deep code analysis
“Created to make life easier for developers and security teams, Lift fosters collaboration between the two, providing a code analysis pipeline that brings more than 26 tools in 11 languages to detect a wide range of bug types. Since Lift’s results are reported in the code review, developers and security engineers can collaborate on how (or if) best to resolve reported issues, ”said Aid Brian Fox, co-founder and CTO by Sonatype.
With report during peer review window proven to improve repair rates, Lift’s ability to provide information at this point could help improve the quality of the code.
“The way Lift works overcomes the challenges of conventional code analysis tools by making installation and configuration quick and easy, and leverages developer feedback to continually improve results over time. By focusing on high-trust bugs, Lift builds developer confidence and ensures that when they report, developers pay attention and resolve issues, ”said Fox and his team.
Open source suitability
Lift not only detects problems in the code that developers write, but also in the open source libraries they rely on by extracting analysis data from the software composition of Sonatype OSS Index to report vulnerable open source libraries as comments in the code review.
“Developers are increasingly responsible for ensuring that their code is both secure and of high quality. Typical code quality tools are limited to file-based scanning and do not catch bugs that traverse files. While SAST tools do, they are security focused and managed by security teams. We built Lift to provide developers with in-depth code analysis focused on detecting performance and reliability bugs that can lead to critical vulnerabilities similar to those increasingly exploited in recent attacks, ”Fox said.
Lift will be forever free for public repositories and will serve open source maintainers by helping to secure the software supply chain at its source.
Sonatype’s commitment to support open source started as a main contributor to Apache Maven and continues with its management of the Maven central repository, free development tools including its OSS vulnerability database.