Development / Security

Sonatype Lift, a Deep Code Analysis Platform

17 Jun 2021 4:00am, by

Software supply chain management and security tooling company Sonatype has released Sonatype Lift, a deep code analysis platform that gives developers the ability to scan for a wide range of bug types and code issues.

The launch follows the company’s acquisition of code analysis platform MuseDev earlier this year, and Stephen Magill, formerly MuseDev CEO and now vice president of product innovation at Sonatype, says that Lift is a combination of the technology originally developed at MuseDev with software composition analysis capabilities that were already in development at Sonatype.

“Those really came together in this Lift product,” Magill said. “There was great alignment from a technology perspective, also from an engineering and culture perspective, once we got in there and started working together. It’s really enabled us to pretty quickly combine these technology bases and provide this product.”

Part of that alignment comes from Magill’s area of expertise. Magill, whose background is in the static analysis, explained that just getting some of the tools up and running can be the first problem for developers looking to analyze their code. Lift brings a variety of analyzers, including Infer from Facebook and ErrorProne from Google, that work across 11 different languages — Java, C, C++, JavaScript, Python, Golang, Ruby, Kotlin, Shell, Haskell, and Markdown — directly into their existing workflow in minutes.

“I did my Ph.D. in that area, and, for some of these capabilities, that’s sort of expertise you need to really get the most out of the tool and get it up and running in the optimal way. And so we have provided that expertise, packaged it up, built a lot of automation around the deployment of these tools, so that it is really easy to get up and running with them in a push-button manner,” said Magill.

Lift supports GitHub, GitLab, and Bitbucket, where the tool analyzes the code and integrates the results as part of the code review process, taking a page from Facebook, which noticed during its testing of its Infer analyzer that code review integration improved bug fix rates by 70%.

“I think that’s a great example of the importance of getting integration right, getting the developer experience right, and if you can do that, you can get it to the point where it’s actually easier to just fix the bug in the moment than have a discussion about whether it should be fixed or when,” said Magill.

Lift scans not only the code repository in question but analyzes dependencies as well, bringing in software composition analysis (SCA) data from Sonatype’s OSS INDEX to report vulnerable open source libraries. Beyond security issues, Lift also looks for style issues and code quality issues that might affect performance. Magill offered the example of using the override annotation in Java when you’re explicitly overriding a method from a superclass as something Lift will surface during code review.

“That’s sort of best practice. You can get away with not doing it, the compiler will complain but the code will compile fine. But it really is something that most Java teams that you talk to, they would prefer to have that in there and have that enforced,” explained Magill.

In addition, Magill said that Lift goes beyond other tools by bringing “deep code quality scanners” to its users, which find issues that would otherwise go unnoticed.

“There are tools that look for very localized patterns around, say, null pointer exceptions — are you assigning null at the beginning of a method and dereferencing it in that same method. We go beyond that and look across the codebase,” Magill said. “We’ll even flag things like, ‘Oh, you’re using this library function in a way that can cause a null pointer exception,’ and you’ve probably never even looked at the source code for that library function, so if you don’t know that, in certain cases, it returns null. We’ll surface that.”

Lift is available both as SaaS and as on-prem for Sonatype users, and Magill said that the next steps for Lift are to make sure it works well for Sonatype’s enterprise users. Already, Sonatype has developed “a lot of automation around how we configure these tools,” said Magill, but moving forward that needs to be brought to the scale necessary for enterprise users.

“It’s also really important when it comes to deploying a capability like this at scale across a large enterprise, because if you think, ‘Okay, I’m going to take this tool and roll it out across 2,000 repositories,’ you don’t want to configure it by hand for those 2000 repositories. That’s going to be awful. So, that sort of automation is super important for applying it at scale and addressing that enterprise use case,” Magill said.

A newsletter digest of the week’s most important stories & analyses.