High quality software applications are critically important for every business which is IT driven. Software developers are facing good times since they are high in demand. In return organizations which practice CI/CD and DevOps also expect a lot from them. Every now and then they raise the bar to require even higher quality source code for their applications, infrastructure and other automated processes. This has an effect on the developers as well. The shift (security) left principle quickly becomes one of the best practices in software development methodologies. Proper source code review processes supports this. Quite often, this is still a manual task between developers, tools help to make it more efficient. Lift your source code quality with Sonatype Lift!
In short: the source code review process
Developers who collaborate together often conduct peer reviews which means they both analyze a piece of source code to justify if this fits the intended business feature. By collaborating together they gather details and practical information about the component all with the idea to create better software. This encompasses clean code which is maintainable, secure, according to industry standards, quick to build, etc.
Current way of working
The current way of working takes place in the version control system but this is a manual process. Every commit on a feature branch (opposed to Trunk Based Development) needs to be merged to the master branch sooner or later. Once a developer is happy with his/her change, he/she creates a pull request to merge the piece of source code into the mainline. It is this code that evenly go to production so it’s critically important that the change works and has no negative issues which pop up later on in the process.
During the review process, team members can approve the change or add comments and suggestions to improve it. The developer who created the change can improve his/her source code. It is very common to reject the pull request, since there might be issues which can cause trouble sooner or later.
Besides other things, this phase can be enhanced to ease the load of the reviewer and make the process faster.
Potential future way of working
One way to improve the current way of working is to add automation to this step. Automation helps to speed up this process and also to get more insightful information. Sonatype Lift does exactly do that: hook in at the pull request and/or peer review process to support developers in this phase.
Simply said, it’s a Code Quality Analysis Platform that helps developers evaluate the quality of source code changes. Consider SonaType Lift as an extra virtual team member which helps to provide contextual information and practical tips to improve the quality of every source code change. By doing so, developers push better software to production which releases the pressure to fix issues too late in the Software Development LifeCycle.
A quick introduction
The primary focus of Sonatype Lift is to hook in into the source code change process while developers are working on it. It is considered as a Static Application Security Testing tool which works on an enterprise level. Lift acts as a layer on top of these repositories while it has a deep integration with these repositories at the same time. It works with your public and private Git repositories on GitHub, GitLab, and Bitbucket.
The tool acts as a bot to your source code repositories to scan them in case of changes. It creates inline comments, just like a team-member to offer tips and tricks to enhance the source code on the following categories: code style and other standards, security aspects, reliability, performance and vulnerabilities (f.e. through analyzing (references to) third party dependencies). To do that, Lift utilizes the Open Source Index maintained by SonaType itself.
A smart solution
Sonatype Lift is a smart solution since it learns automatically. It’s learning module is based on Machine Learning (ML) and it collects information about the issues developers have fixed in the past. Besides it also learns how many of those issues popped up in the past and how the actual solution looked like. Erroneous fixes are ignored.
This feature offers developers plenty of good options to speed up. Besides this, it also reduces the trial and error phase to let developers probe for the best fix. Furthermore, it helps to grow the collective knowledge in the organization since a lot of the proposed solutions are based on industry standards and (security) best practices. It extends the collective knowledge beyond the knowledge within your development teams.
One of the biggest advantages is that Lift finds issues which would otherwise might get unnoticed. A tool that collects information based on many sources and on previous fixes knows a lot more than an individual developer that is tasked with reviewing the pull request. Machine Learning helps to reduce the number of misses.
Talk to the bot
Developers can interact with the above mentioned bot to instruct it to behave like a trustful companion. It supports the following commands:
- In case you think the bot is wrong, use @sonatype-lint ignore to flag a finding as a false positive. Lint acknowledges this and it learns from your command so the finding won’t show up in the current analysis report or in future reports and status bars.
- @sonatype-lint unignore does exactly the opposite as above.
- To get help, use @sonatype-lint help to see the available options. Besides help, you can also use this command to enable or disable Lift to other projects.
As you can see, the bot becomes smarter the more you and/or your co-workers train it.
There are plenty of business benefits when using Lift alongside your other development processes. Consider these factors to assess it’s usefulness:
- Developers don’t need to change their software development processes such as handling pull requests and/or peer reviews.
- It’s both easier and quicker to fix issues early on in the software delivery phases.
- All suggestions by Lift come from a central set of rules (standard or customized by your organization) so there is a clear context of what to discuss about. No more decentralized discussions on “what is the right solution” or “is this the expected level of quality”).
- Lift has standard APIs to use, for example to create a customized dashboard. It helps (Quality Assurance) managers to step in and set new goals based on the current quality and their desire to increase it even more.
- It perfectly fits into the agenda of so called “software quality” improvement plans. By customizing the rules and to reject qualitative poor source-code, you can constantly improve it and also use it in the entire organization.
- Don’t let risk offers interrupt developers banging at their door to “fix another issue”, they can continue to concentrate on their primary task: creating cool features.
So far so good, these are beneficial to the entire organization.
I hardly can’t find any cons. Perhaps the only one is that developers need to learn “yet another tool”. But since it’s blend in into their existing processes without interference this is not a big issue. SonaType claims to focus on as few false positives as possible so this also helps to focus on the things which really matter. Another issue to take into account, as of today it does not support Azure DevOps Git repositories, but since these Git repositories will migrate to GitHub (enterprise) later on, this is not a very important issue.
How to start
As soon as you reach this part of the article you might want to try Lift out. The following aspects briefly describe the installation and configuration steps. Lift is an application you need to install along side of your Git repositories.
- First of all, login to your Github account.
- Go to the application settings page. Click install.
- Select a single repository or all of them to analyze.
- You can now browse through all of your repositories and select the branch of each of them to analyze. It takes roughly 2 times the build-time of a specific branch to analyze the repository.
- View the analysis report to find existing issues in your source code.
From here, Lift is configured and hooks in into your Software Development workflow at the time a pull request is created and picked up by a team-member.
In every organization there is always a lot of debate or even disputes about code quality. Reviewing a pull request and conducting peer reviews help to push things in the right direction. However, this takes time and sometimes it isn’t done thoroughly or even forgotten. Sonatype Lift helps developers to blend in into these processes to submit (inline) comments to problematic source code. It learns from previous fixes and manual intervention of developers as well as from external sources. This makes it a very useful tool to speed up source code review processes, reduce the number and severity of source code issues such as security related problems, vulnerabilities and other topics which might otherwise end up in production. Reduce time and money to fix these kind of issues, be sure to give Lift a try in your next sprint.