Included Analyzers

Lift leverages a broad range of analyzers that can be tailored to your code-base. Below is a list of the analyzers we’ve incorporated and made available within the Lift platform.

Want us to add your favorite open-source analysis tool to Lift? Visit our community and let us know what other tools you would like to use via Lift.

Infer

Languages: Java, C, C++

Website: https://fbinfer.com

Error Patterns: https://fbinfer.com/docs/all-issue-types

Infer was developed at Facebook and uses advanced compositional analysis techniques to provide deep insight into code behavior while keeping analysis times low. Infer checks Java for null pointer exceptions, resource leaks, performance issues, command injection and other information flow vulnerabilities, annotation consistency, and concurrency errors such as race conditions and deadlocks. Infer checks C/C++/ObjectiveC code for null pointer dereferences, memory leaks, coding convention violations, and API misuse errors.

ErrorProne

Languages: Java

Website: https://errorprone.info

Error Patterns: https://errorprone.info/bugpatterns

Developed by Google, this Java bug detection tool looks for language-specific error patterns and API mis-use errors. It is implemented as a compiler extension, and so has access to type information, class hierarchies, and dependency data. This gives it deeper insight into the code than most linters and allows it to detect more bugs while maintaining a low false positive rate. ErrorProne can also be extended with custom rules.

FindSecBugs

Languages: Java

Website: https://find-sec-bugs.github.io

Error Patterns: https://find-sec-bugs.github.io/bugs.htm

This tool provides static analysis for security audits of Java web applications and Android applications targeting many of the OWASP Top Ten.

Quandary

Languages: Java, C, C++

Website: https://fbinfer.com/docs/checker-quandary

Error Patterns: https://fbinfer.com/docs/checker-quandary#list-of-issue-types

Quandary is an extension of Infer that detects flows of values between sources and sinks that don’t pass through a “sanitizer”. It has a small list of built-in sources and sinks, but also provides a means for defining custom sources and sinks via an .inferconfig file included in the same directory as the build files (see an example here). Quandary can be used to detect cross-site scripting, shell/sql injection, untrusted data use, and logging of private data.

ESLint

Languages: JavaScript

Website: https://eslint.org

Error Patterns: https://eslint.org/docs/rules

ESLint is an open source JavaScript linting utility that helps find problematic patterns or code that doesn’t adhere to certain style guidelines.

Semgrep

Languages: Multiple languages (Python, JavaScript, Java, Golang, and C and more coming)

Website: https://github.com/returntocorp/semgrep

Lightweight static analysis for many languages. Find and block bug variants with rules that look like source code.

Staticcheck

Languages: Golang

Website: https://staticcheck.io

Staticcheck is a state of the art linter for the Go programming language that finds bugs and performance issues, offers simplifications, and enforces style rules.

Golang-ci

Languages: Golang

Website: https://github.com/golangci/golangci

Our golangci-lint configuration aggregates and runs 9 Golang linters to catch a broad range of common Go errors.

Pyre

Languages: Python

Website: https://pyre-check.org

Error Patterns: https://pyre-check.org/docs/error-types.html

Pyre is a fast, scalable type checker for large Python 3 codebases, designed to help improve code quality and development speed by flagging type errors, following the typing standards introduced in PEP484 and PEP526. Pyre also includes the Pysa information flow analysis tool which can be configured to detect and warn on flows between functions labeled as sources and sinks.

Bandit

Languages: Python

Website: https://pypi.org/project/bandit

Bandit is a security linter from PyCQA designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes.

Rubocop

Languages: Ruby

Website: https://rubocop.org

RuboCop is a Ruby code style checker (linter) and formatter based on the community-driven Ruby Style Guide.

Detekt

Languages: Kotlin

Website: https://github.com/detekt/detekt

Detekt a static code analysis tool for the Kotlin programming language. It operates on the abstract syntax tree provided by the Kotlin compiler.

ShellCheck

Languages: Bash, Shell

Website: https://www.shellcheck.net

Error Patterns: https://github.com/koalaman/shellcheck/wiki/Checks

ShellCheck is a code analyzer for your shell scripts.

Cobra

Langauges: C/++

Website: http://spinroot.com/cobra/

Cobra is a structural source code analyzer. Fast and easy to configure, Cobra is an ideal choice for enforcing API rules without needing compilation.

Clippy

Languages: Rust

Website: https://github.com/rust-lang/rust-clippy

Clippy is a Rust linting tool with hundreds of lints to surface a broad range of issues in Rust code.

HLint

Languages: Haskell

Website: https://github.com/ndmitchell/hlint#readme

HLint is a tool for analysing Haskell projects and outputting discovered short-comings in a helpful way with possible solutions for detected problems. HLint is searching for not only performance or error-prone code pieces, but it also can help with establishing and applying best-practices from the whole Haskell ecosystem.

Markdownlint - MDL (Disabled by Default)

Languages: Markdown

Website: https://github.com/markdownlint/markdownlint

MDL is a tool to check markdown files and flag style issues.

PMD (Disabled by Default)

Languages: Java, JavaScript, and others

Website: https://pmd.github.io

Error Patterns: https://pmd.github.io/pmd-6.23.0/pmd_rules_java.html

The tool finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth.

PMD is not enabled by default. To add, copy this line into your Lift configuration file.

customTools = [ "https://help.sonatype.com/lift/files/78578763/78578764/1/1623180860953/pmd.sh rulesets/java/quickstart.xml" ]

Click here to learn how to create a Lift configuration file.

Checkov (Disabled by Default)

Languages: Infrastructure Code (Terraform, Cloudformation, K8S)

Website: https://checkov.io

Error Patterns: https://github.com/bridgecrewio/checkov/blob/master/docs/3.Scans/resource-scans.md

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure managed in Terraform, Cloudformation, Kubernetes, Arm templates or Serverless Framework and detects misconfigurations.