https://www.infoq.com/news/2021/06/Sonatype-lift-code-analysis BT Toggle Navigation Facilitating the spread of knowledge and innovation in professional software development English edition * English edition * Chinese edition * Japanese edition * French edition Contribute Search [ ] [Search] Sign Up / Login Email [ ] Password [ ] [Login] Forgot password ? InfoQ Account Email [ ] [Send Recovery Email] Back to login Resend Activation [ ] [Resend] Back to login Login with: Google Microsoft Twitter Facebook Don't have an InfoQ account? Sign Up Notifications 1 Login to unlock InfoQ's new features * Stay up to date and get notified * Like your favorite content * Follow your favorite editors and peers Sign Up / Login Don't have an account? Register Here Logo - Back to homepage 2,094,349 May unique visitors News Articles Presentations Podcasts Guides Topics Development * Java * Kotlin * .Net * C# * Swift * Go * Rust * JavaScript Featured in Development * Improving Video Encoding System Efficiency @Netflix Susie Xia discusses the video encoding system used by Netflix, and the tools and techniques used to analyze performance and to improve the system efficiency. Improving Video Encoding System Efficiency @Netflix All in development Architecture & Design * Architecture * Enterprise Architecture * Scalability/Performance * Design * Case Studies * Microservices * Service Mesh * Patterns * Security Featured in Architecture & Design * Chris Richardson on Design-Time Coupling in Microservices In this episode of the InfoQ Podcast, Thomas Betts speaks with Chris Richardson about minimizing design-time coupling in a microservice architecture. Chris Richardson on Design-Time Coupling in Microservices All in architecture-design AI, ML and Data Engineering * Big Data * Machine Learning * NoSQL * Database * Data Analytics * Streaming Featured in AI, ML & Data Engineering * Designing IoT Data Pipelines for Deep Observability Shrijeet Paliwal discusses how Tesla deals with large data ingestion and processing, and what are some of the challenges with IoT data collecting and processing, and how to deal with them. Designing IoT Data Pipelines for Deep Observability All in ai-ml-data-eng Culture & Methods * Agile * Diversity * Leadership * Lean/Kanban * Personal Growth * Scrum * Sociocracy * Software Craftmanship * Team Collaboration * Testing * UX Featured in Culture & Methods * Building Your Own Agile Team Maturity Assessment An agile maturity assessment can help teams come to a common understanding of what agile maturity looks like and what steps they can take to get there. In this article, we are going to dive into the value of assessing things, with concrete examples you can use, and will help you learn how to build an assessment for your teams and/or organization that is fit-for-purpose. Building Your Own Agile Team Maturity Assessment All in culture-methods DevOps * Infrastructure * Continuous Delivery * Automation * Containers * Cloud * Observability Featured in DevOps * Danske Bank's 360deg DevSecOps Evolution at a Glance This article provides an overview of the ongoing DevSecOps evolution at Danske Bank, positioned within the broader transformation that the firm is performing. The main enablers and motivating factors of the evolution are outlined, with challenges discovered. The high level overview of the DevSecOps operating model, together with anti-patterns discovered and main lessons learned concludes it. Danske Bank's 360deg DevSecOps Evolution at a Glance All in devops EventsNew Helpful links * About InfoQ * InfoQ Editors * Contribute * About C4Media * Diversity Choose your language * En * Zhong Wen * Ri Ben * Fr InfoQ Live June InfoQ Live July Accelerate your software delivery with modern DevOps practices Virtual Event on July 20th, 9 am EDT / 3 pm CEST InfoQ Live August InfoQ Live August Learn best practices for migrating to cloud native architectures Virtual Event on August 17th, 9 am EDT / 3 pm CEST Take The Survey Help us improve InfoQ Your feedback will directly help us evolve how we support you. InfoQ Homepage News Sonatype Lift Integrates Facebook Infer, Google ErrorProne, and Other Code Analyzers DevOps Results from the State of Continuous Delivery Survey (July 8th Webinar) - Save Your Seat Sonatype Lift Integrates Facebook Infer, Google ErrorProne, and Other Code Analyzers Like Print Bookmarks Jun 21, 2021 4 min read by * Sergio De Simone Recently launched Sonatype Lift provides a unified code analysis platform that includes over 25 tools to help developers identify a wide range of bugs in their development pipelines as soon as possible, says Sonatype. Sonatype Lift integrates with GitHub, GitLab, and BitBucket to report the results of its analysis in peer code reviews attached to pull requests. This behaviour is key for Sonatype Lift effectiveness, says Sonatype, since peer review has proven to improve bug fix rates by 70x. Lift includes over 25 tools, including Google ErrorProne, Facebook Infer, and many others, and works with 11 languages, including Java, C/C++, JavaScript, Python, Golang, Ruby, Kotlin, Haskell, and others. Besides analyzing your own code base, Sonatype Lift also screens open source dependencies you rely upon by pulling software composition (SCA) data from Sonatype's OSS Index. This makes it possible for Lift to report vulnerable open source libraries and include them as comments in code reviews. InfoQ has spoken with Stephen Magill, VP of product innovation at Sonatype, to learn more. InfoQ: Sonatype Lift integrates with the major code hosting platforms. How does it stack against the features those platforms provide to help developers detect bugs and vulnerabilities? What additional benefit can development teams expect to gain with Sonatype Lift adoption? Stephen Magill: Compared to native solutions, Sonatype Lift provides broader analysis, deeper intelligence and more extensible options, when it comes to helping developers detect bugs and vulnerabilities. Sonatype Lift flags a wider range of issues and also goes beyond simple linting to surface subtle and high-impact errors that span files like thread safety issues and resource leaks. InfoQ: DevSecOps and ShiftLeft are becoming ever more popular with software development teams. Catching bugs and vulnerabilities as early as possible is key to improving a system's security. Could you comment on the current software security context? Magill: Sonatype Lift is built on the premise of shifting code analysis left and bringing security into the developer workflow, and so those terms squarely apply. Lift is about finding and fixing bugs of all kinds, including security, as early as possible, and in a manner that makes it easiest for developers to fix. We believe that getting developer interaction right is an important part of effective efforts to shift left and a major focus of Lift is presenting the right results (bugs that developers care about), at the right time (right after the code is written), and in the right context (presented as comments in code review). This combination has been shown to boost bug fix rates without impacting development speed. Lift is built for developers and so focuses on low false positive rates and highlighting errors that are easy for developers to triage and fix. Lift is not meant to replace Static Application Security Testing or security-specific analysis tools, which are built for security teams that have the time, expertise, and desire to perform a more thorough review of a code release. Rather, Lift complements SAST tools by surfacing a subset of high-confidence security issues that can be fixed early in the process, giving developers higher quality code and fewer issues later on in the SDLC. This actually makes SAST tools more valuable, as it enables security teams to focus on the complex and possibly subtle issues that remain. InfoQ: What other areas of the software supply chain does Sonatype cater for with its line of products? Magill: Sonatype caters to the complete software supply chain. Our mission is to give developers full control of their software development lifecycle with tools for third-party open source code, first-party source code, infrastructure as code (IaC), and containerized code. Our Nexus platform is widely used in Fortune 1000 companies and focuses on helping developers manage open source risk, so they can create better software, faster. The platform includes one of the most popular artifact repositories -- Nexus Repository -- and a best-in-class software composition analysis duo of Nexus Lifecycle and Nexus Firewall. We're particularly proud of a novel early warning detection system that relies upon machine learning, AI and behavior analysis, to identify potentially malicious and suspicious open source components and prevent them from ever entering someone's SDLC. InfoQ: What's on Sonatype Lift roadmap? How will the product evolve in the near future? Magill: It's always a difficult balance to provide a breadth and depth strategy to code quality, but we're excited about where Sonatype Lift is going and think we can do both. There are many different ecosystems developers write code in and we're just scratching the surface. That's the biggest area we're focused on - expansion. We're continuing to add new tools to cover more languages and bug categories, enabling any development team to get value from the platform, regardless of whether they are working on a line of business application in a mainstream language, developing deployment and infrastructure scripts, or iterating on data science notebooks. We'll also be adding new repository hosts to make Lift available to more developers. We'll continue to develop our metrics and learning capabilities to improve results and help teams improve their code quality and development efficiency. And lastly, we'll be integrating capabilities between Lift and Nexus to further improve insights and capabilities for customers who run the full suite of Sonatype's product. We plan on leveraging the years of experience Sonatype has in supporting software security practices at enterprise scale to bring new advanced capabilities to Lift customers like insightful reporting, remediation recommendations, and robust integration with other services. Sonatype Lift is free for public repositories and provides a premium tier for private repos. We need your feedback How might we improve InfoQ for you Thank you for being an InfoQ reader. Each year, we seek feedback from our readers to help us improve InfoQ. Would you mind spending 2 minutes to share your feedback in our short survey? Your feedback will directly help us continually evolve how we support you. Take the Survey Rate this Article Adoption ( ) ( ) ( ) ( ) ( ) Style ( ) ( ) ( ) ( ) ( ) [ ] [Submit] [ ] [Submit] [ ] Author Contacted This content is in the DevOps topic Related Topics: * Development * DevOps * Source Control * GitLab * JavaScript * github * C * git * Java * Code Analysis * Web Development * Bitbucket * Dynamic Languages * Source Code * Functional Programming * Debugging * Testing * Haskell * C++ * Profilers * Compilers * Related Editorial * Related Sponsored Content + Head-to-head: Monolith vs. Microservices (June 23rd Tech Talk) - Save Your Seat * Related Sponsor [Outsystems] Legacy apps holding you back? Learn how you can leverage microservices to modernize your apps in a progressive approach. Register now. Related Content * V8 Gets a Non-Optimizing Compiler Stage to Improve Performance * TypeScript 4.3 Improves Property Write Types * GitHub Study Explores What Makes Developers Have a Good Day * Pyodide Brings Python and Its Scientific Stack to the Browser with WebAssembly * BlockLike.js Aims to Make it Easier to Go from MIT Scratch to JavaScript Programming * Deep Dive into Reactive Programming with RxJS Deep Dive into Reactive Programming with RxJS * From Monolith to Microservices From Monolith to Microservices * From Mixins to Custom Hooks: History of Sharing in React From Mixins to Custom Hooks: History of Sharing in React * eBay's UI Framework Marko Adds Optimized Reactivity Model - Q&A with Marko's Development Team eBay's UI Framework Marko Adds Optimized Reactivity Model - Q&A with Marko's Development Team * Pathpida Brings Types to Next.js and Nuxt.js Dynamic Routing with Zero Configuration Pathpida Brings Types to Next.js and Nuxt.js Dynamic Routing with Zero Configuration * Interview about JavascriptLandia, the Openjs New Individual Contributor Program Interview about JavascriptLandia, the Openjs New Individual Contributor Program * Writing Firebase Apps on Windows, Mac, and Linux Using Electron Writing Firebase Apps on Windows, Mac, and Linux Using Electron * Jakarta EE 9.1 and the Road to Jakarta EE 10 * Scala 3 Overhauls Language for Better Developer Experience * Internal JDK Elements Strongly Encapsulated in JDK 17 * Java News Roundup - Week of June 14th, 2021 * Java News Roundup - Week of June 7th, 2021 * Java News Roundup - Week of May 31st, 2021 * AceQL Releases Open-Source JDBC-over-HTTP Driver * Implementing Microservicilites with Istio Implementing Microservicilites with Istio * OpenJDK Discusses Post-SecurityManager Practices * Java News Roundup - Week of May 24th, 2021 * Quick and Seamless Release Management for Java Projects with JReleaser Quick and Seamless Release Management for Java Projects with JReleaser * The Road to Quarkus 2.0: Continuous Testing * What's New in Java 16 What's New in Java 16 * Cameron Purdy Explains Ecstasy - a New Cloud Native Environment Cameron Purdy Explains Ecstasy - a New Cloud Native Environment * Serverless Search for My Blog with Java, Quarkus & AWS Lambda Serverless Search for My Blog with Java, Quarkus & AWS Lambda * Implementing Microservicilities with Quarkus and MicroProfile Implementing Microservicilities with Quarkus and MicroProfile * Upgrade to Java 16 or 17 Upgrade to Java 16 or 17 * Running Axon Server in a Virtual Machine Running Axon Server in a Virtual Machine * Article Series: Building Microservices in Java Article Series: Building Microservices in Java * Starting Fast: Investigating Java's Static Compilation Landscape Starting Fast: Investigating Java's Static Compilation Landscape * Enabling Java: Windows on Arm64 - a Success Story! Enabling Java: Windows on Arm64 - a Success Story! * Testing Quarkus Web Applications: Reactive Messaging, Kafka, and Testcontainers Testing Quarkus Web Applications: Reactive Messaging, Kafka, and Testcontainers * Project Valhalla: Bringing Performance to Java Developers Project Valhalla: Bringing Performance to Java Developers * Testing Quarkus Web Applications: Writing Clean Component Tests Testing Quarkus Web Applications: Writing Clean Component Tests * Testing Quarkus Web Applications: Component & Integration Tests Testing Quarkus Web Applications: Component & Integration Tests * Virtual Panel: the MicroProfile Influence on Microservices Frameworks Virtual Panel: the MicroProfile Influence on Microservices Frameworks * Enhanced Streams Processing with Kotlin's Sequence Interface Enhanced Streams Processing with Kotlin's Sequence Interface * Java Feature Spotlight: Pattern Matching Java Feature Spotlight: Pattern Matching The InfoQ Newsletter A round-up of last week's content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example Enter your e-mail address [ ] [ ] Select your country [Select a country] [ ] I consent to InfoQ.com handling my data as explained in this Privacy Notice. [Subscribe] We protect your privacy. Hello stranger! You need to Register an InfoQ account or Login or login to post comments. But there's so much more behind being registered. Get the most out of the InfoQ experience. Tell us what you think [ ] [ ] Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p [ ] Email me replies to any of my messages in this thread [Post Message] Community comments Watch thread Close Your Reply Quote original message [ ] [ ] Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p [ ] Email me replies to any of my messages in this thread [Post Message] Cancel Close Your Reply [ ] [ ] Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p [ ] Email me replies to any of my messages in this thread [Post Message] Cancel Close OK Discuss * Development + Go Gets Fuzz Testing Support in Beta + Swift 5.5 Brings Async/Await and Actor Support + Putting Arduino and the ESP32 at Work for STEM Education * Architecture & Design + Chris Richardson on Design-Time Coupling in Microservices + Essential Complexity in Systems Architecture + Pragmatic Performance - Tales from the Trenches * Culture & Methods + Building Your Own Agile Team Maturity Assessment + Engineering Your Organization through Services, Platforms, and Communities + From Program to Process, Designing for Equity in the Workplace * AI, ML & Data Engineering + Designing IoT Data Pipelines for Deep Observability + Google Trains Two Billion Parameter AI Vision Model + Evolving Analytics in the Data Platform * DevOps + Istio 1.10: Q&A with Release Manager Sam Naser + Danske Bank's 360deg DevSecOps Evolution at a Glance + Terraform 1.0 Release Adds Stability Guarantees and an Improved Upgrade Experience The InfoQ Newsletter A round-up of last week's content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example * Get a quick overview of content published on a variety of innovator and early adopter technologies * Learn what you don't know that you don't know * Stay up to date with the latest information from the topics you are interested in Enter your e-mail address [ ] [ ] Select your country [Select a country] [ ] I consent to InfoQ.com handling my data as explained in this Privacy Notice. [Subscribe] We protect your privacy. QCon Software Development Conferences Sign up to get notified when registration opens for the next QCon Plus software engineering conference. November, 2021 Home Create account Login QCon Conferences Events Contribute InfoQ Editors About InfoQ About C4Media Media Kit Diversity Events * InfoQ Live July 20th, 2021 * InfoQ Live August 17th, 2021 Follow us on Youtube187K Followers Linkedin16.1K Followers RSS19K Readers Twitter48k Followers Facebook20K Likes AlexaNew Stay in the know The InfoQ Podcast[infoq-podc] Engineering Culture Podcast[engineerin] The Software Architects' Newsletter[architects] General Feedback feedback@infoq.com Advertising sales@infoq.com Editorial editors@infoq.com Marketing marketing@infoq.com InfoQ.com and all content copyright (c) 2006-2021 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with. Privacy Notice, Terms And Conditions, Cookie Policy BT Is your profile up-to-date? Please take a moment to review and update. Email Address* [ ] Note: If updating/changing your email, a validation request will be sent Company name: [ ] Keep current company name Update Company name to:* [ ] Company role: [ ] Keep current company role Update company role to:* [ ] Company size: [ ] Keep current company Size Update company size to:* [ ] Country/Zone: [ ] Keep current country/zone Update country/zone to:* [--- Select a country --- ] State/Province/Region: [ ] Keep current state/province/region Update state/province/region to: [] [ ] Subscribe to our newsletter? [ ] Subscribe to our architect newsletter? [ ] Subscribe to our industry email notices? [ ] By subscribing to this email, we may send you content based on your previous topic interests. See our privacy notice for details. [ ] Subscribe to our Special Reports newsletter? [Submit] You will be sent an email to validate the new email address. This pop-up will close itself in a few moments. *