Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.
Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.
Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.
Using a deep code analysis platform like Lift – which can be installed easily in any source repository in minutes – helps reap the benefits of using open-source libraries while maintaining security.
Brian Fox, Co-Founder and CTO of Sonatype, said:
“Developers are increasingly responsible for ensuring their code is both secure and high-quality. Typical code quality tools are limited to per-file analysis and don’t catch bugs that traverse files. While SAST tools do, they are security-focused and run by security teams.
We built Lift to provide developers deep code analysis focused on catching performance and reliability bugs that can lead to critical vulnerabilities similar to those increasingly exploited in recent attacks. And, we have done it in a way that helps developers fix more bugs, without slowing them down or requiring them to switch contexts.”
This past year has seen an exponential increase in large-scale cyberattacks that have exploited vulnerabilities in commercial and open-source code—with SolarWinds and Codecov being obvious examples. Apple was also recently forced to rush out patches across its operating systems to fix critical WebKit and iOS Kernel vulnerabilities.
Meanwhile, a coding error at content delivery network Fastly led to a massive outage that hit Amazon, Reddit, The Guardian, and the New York Times earlier this month. This shows how even innocent mistakes can have devastating and widespread consequences.
Lift’s unified code analysis pipeline brings 26+ tools across 11 languages to catch a wide range of bug types and uses the proven methods and technologies from Facebook (Infer) and Google (ErrorProne).
Sonatype says that Lift will forever be free for public repositories as part of its long-standing commitment to supporting the world’s open-source community.
You can try Lift for free on GitHub today.
(Image Credit: Sonatype)
Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit, taking place on October 7 2021, where attendees will learn about the benefits of building collaboration and partnerships in delivery.