Sonatype Lift Debuts
June 16, 2021
Lift (Lift) is a first-of-its-kind, cloud-native, deep code analysis
platform. Lift installs easily on any source repository in minutes and
provides developer-friendly feedback on a wide range of bug types,
ranging from lightweight style issues to complex coding errors commonly
found in first-party source code and third-party open source libraries.
In the past year cyber attacks have increased exponentially, as bad
actors increasingly go after software supply chains to exploit
vulnerabilities in commercial and open source code -- evidenced in the
SolarWinds and Codecov incidents. Even the world’s largest companies
aren't immune to software quality defects inadvertently reaching
production. Apple recently reported critical vulnerabilities in its
Webkit browser SDK and its iOS Kernel. As code quality issues
increasingly become security issues, developers and security teams need
to work together to ensure code is both reliable and secure. Further, as
the recent Fastly outage demonstrated, innocent coding errors can cause
as much damage as cyber attacks intentionally perpetrated by malicious
Deep Code Analysis. Easy for Developers. Trusted by Security.
Created to make developers’ and security teams' lives easier, Lift
fosters collaboration between the two, providing a unified code analysis
pipeline that brings 26+ tools across 11 languages to catch a wide range
of bug types. Because Lift’s results are reported in code review,
developers and security engineers can collaborate on how best (or
whether) to fix reported issues. With reporting during the peer review
window proven to dramatically improve fix rates, Lift’s ability to
provide insights at this critical point will be instrumental in
improving code quality.
This is the first code quality solution to bring the proven methods and
technologies from Facebook (Infer) and Google (ErrorProne), and deliver
them as a commercial platform. The unique way in which Lift works
overcomes the challenges of conventional code analysis tools by making
installation and configuration quick and easy, and leverages developer
feedback to continuously improve results over time. By focusing on
high-confidence bugs, Lift builds developer trust and ensures that when
it does report, developers pay attention and fix the issues.
catches not just issues in the code developers write, but also in the
open source libraries they rely upon by pulling software composition
analysis data from Sonatype’s OSS Index to report vulnerable open source
libraries as comments in code review.
"Developers are increasingly responsible for ensuring their code is both
secure and high-quality. Typical code quality tools are limited to
per-file analysis and don’t catch bugs that traverse files. While SAST
tools do, they are security-focused and run by security teams. We built
Lift to provide developers deep code analysis focused on catching
performance and reliability bugs that can lead to critical
vulnerabilities similar to those increasingly exploited in recent
attacks,” said Brian Fox, Sonatype co-Founder and CTO. “And, we have
done it in a way that helps developers fix more bugs, without slowing
them down or requiring them to switch contexts.”
Strengthening the Developer and Open Source Communities
Lift will be free forever for public repositories and serves open source
maintainers by helping secure the software supply chain at its source.
Sonatype’s long standing commitment to supporting the world’s open
source community began as a core contributor to Apache Maven and
continues with its stewardship of the Maven Central Repository, free
developers tools including its OSS vulnerability database, and being an
active member of the OpenSSF Foundation.