Software supply chain management and security tooling company Sonatype has acquired code analysis platform MuseDev, integrating the company and team into its existing Nexus platform, to expand its scope beyond third-party dependencies.
With Muse, software teams will get access to 24 pre-configured code analyzers, which will assess every pull request and offer feedback during code review. Alongside the addition of Muse, Sonatype has also added features around compliance in infrastructure as code, the ability to “virtually patch containers in the wild” with Nexus Container, and a soon-to-be added Advanced Legal Pack that will improve visibility into open source license obligation for software development and legal teams.
With all of these added features, the company says that its platform now provides a “full-spectrum control of the cloud native software development lifecycle.”
Sonatype co-founder and Chief Technology Officer Brian Fox sees the company’s latest release as part of a final maturation of the market, wherein the focus on many of these security tasks have been moved over to development teams.
“We’ve been building this platform all along to do these types of things. Now that development is really getting involved and really owning the dependency management problem end to end, it’s the right time for us to be able to really widen the scope of the things that we provide to them,” said Fox. “So, your source code via Muse, the containers via Nexus Container, Terraform and those types of scripts via the Infrastructure As Code, the Advanced Legal Pack takes our existing legal analysis and drives it a step further by being able to allow organizations to manage on the obligations of the licenses.”
The addition of Muse specifically adds a focus on in-house code creation, with Muse not only offering pre-configured code analysis tools, but also taking the results of those tools and inserting them into the pull request and code review process, creating a feedback loop to determine which bugs are ignored and which are fixed by developers. Muse also assists with rolling out code analysis tools at scale, since a codebase may consist of multiple languages requiring multiple tools, but Fox said that configuring code analysis tools wasn’t the hardest problem teams often faced.
“The harder problem is figuring out how do you configure it in such a way that you encourage developers to move forward and produce better software without dumping reams of previously unseen technical debt in their face, only to be summarily ignored,” said Fox. “By integrating into the pull request, they’re able to basically introduce the relevant findings in the piece of code that is either newly created or the parts of the code that are being touched at that particular time, so that it’s easy and natural for the developers to make the changes. The tool is able to monitor and learn the findings from the various tools, and understand which ones are the ones that are most likely to get fixed. When they do it this way, teams are 70 times more likely to actually fix the findings that are presented, versus just dumping all of the ones on them and expecting them to figure it out.”
While Sonatype is adding this focus on in-house code creation and analysis, Fox said that they are also looking forward to bringing this type of workflow, as introduced by Muse, to its existing tools. For example, issues around dependencies and licensing could be presented to teams in a similar fashion, so as not to overwhelm and cause alert fatigue.
“We envision taking the policy findings that Sonatype Nexus Lifecycle provides, and using this same developer-first kind of capability to present the information about the dependencies and legal issues and other things to them in the workflow and also build that learning feedback loop in the same way,” said Fox. “We think that this approach can take our already very good policy results that are specific and contextual and actionable, but bringing them into that feedback loop and learning from them will make it even better.”
Sonatype is a sponsor of The New Stack.