- Lift thought there was a bug, but I’m confident it is wrong (impossible).
- Lift couldn’t understand my build system / complained about not being able to produce a compilation database
- I have a multi-project repository and I want Lift to only run on one particular project
- My custom build script has the error “E: Unable to locate package ‘packagename’”
- My Android project is not building in Lift
- I don’t have my own repository, but I still want to try Lift
- I am wondering what utilities are available to Lift analysis by default
- I have a problem that is not addressed here
Lift thought there was a bug, but I’m confident it is wrong (impossible).
By design, Lift only surfaces the new bugs as pull request comments. False positive can be ignored by clicking “resolve” or responding with “ignore bug”. If you’re still saying “How do I understand how Lift came to its conclusions?” or want to improve the situation then consider:
- Think through your project - is the type of bug reasonable? Not all bugs are reasonable to surface for all projects and it might be worth adding this bug to the ignore list in your Lift configuration.
- Lift orchastrates a collection of tools. Look at which tool detected the bug. In https://lift.sonatype.com/ you can see your analysis results and which tool was responsible.
- Tool in hand, consider the tool’s configuration parameters. Most Lift tools are open source and support in-repository configurations.
- Contact us! We’re working hard to reduce false positives and make Lift results actionable out of the box without investing time on your part. We want to understand when any tool or rule causes too much pain. By monitoring repositories and github chatter we get an idea but your needs are ground truth.
Lift couldn’t understand my build system / complained about not being able to produce a compilation database
Because Lift includes advanced program analysis tools, it has to be able to build the application. There are three common cases:
Building the code requires Java 11 (Lift defaults to JDK 1.8). In this case, add a
.lift.tomlfile in the root directory of your repository containing
jdk11 = true
- Analyzing the code requires a non-standard build target. When possible, it is best to use a build target that doesn’t invoke tests, perform benchmarks, or pull in non-code resources such as images or binaries. This will make the analysis faster and more robust. To specify the build target, add a
.lift.tomlfile containing the following:
build = "<build command>"
build = "./gradlew assembleAndroid"
Some dependencies are needed before build and analysis can proceed. Add a .lift.toml file that contains the following:
setup = ".lift/setup.sh"
Now add a
.lift/setup.shfile that contains commands to download any needed dependencies. You can
apt installpackages or
git clonepublic GitHub repositories. This script will be run from the root directory of the repository prior to the build and analyze steps.
I have a multi-project repository and I want Lift to only run on one particular project
Normally, Lift will do its best to autodetect your projects and analyze them. In the case that you had something else in mind, simply place a
.lift.toml configuration file in the directory containing the project you want analyzed.
For more information, see subprojects.
My custom build script has the error “E: Unable to locate package ‘packagename’”
First ensure your script runs
apt update to get the latest package definitions before attempting adding another package.
Lift uses Ubuntu 20.04 “focal” as the base image for all analysis builds. Check if it is a valid “focal” package using the ubuntu package search
My Android project is not building in Lift
Android projects in Lift will require some special configuration. See this guide for instructions and an example.
I don’t have my own repository, but I still want to try Lift
In this case here is an example repository you can fork to see the power of Lift for yourself.
For this tutorial, we are going to analyze a C project that uses the ‘make’ build system. Fork our example repo at https://github.com/Lift-Dev/hello_lift.
NOTE: if you didn’t give the Lift app permissions to all repositories then you’ll need to give it permission to this new repository. It’s easy, just go to https://github.com/apps/sonatype-lift, click
configure and include this new repository by selecting it under ‘repository access’.
develop branch has had multiple bugs introduced. Lift can analyze the changed code and call out any bugs that have appeared. You can start the analysis process by making a pull request. Navigate to the URL below and click
Create pull request. Again, replace
$USER with your GitHub username.
After a few minutes Lift will respond with its discoveries through pull request comments such as the one below.
Lift will also take advantage of GitHub’s status API to let you know if there were any new bugs introduced by the pull request:
The full set of comments can be seen at the following URL.
I am wondering what utilities are available to Lift analysis by default
Great! You are in the right place. The Lift analysis image is based on Ubuntu 20.04. Here is a list of packages installed by default:
apt-get install --yes --no-install-recommends \ autoconf \ automake \ awscli \ curl \ git \ software-properties-common \ gcc-7 \ gcc-9 \ g++-9 \ g++-multilib \ libc6-dev \ libgmp-dev \ libsqlite3-dev \ opam \ libtool \ libtool-bin \ autotools-dev \ openjdk-8-jdk-headless \ openjdk-11-jdk-headless \ pkg-config \ ruby \ libsqlite3-dev \ gawk \ tzdata \ maven \ libpcre3-dev \ netbase \ npm \ locales \ libcurl4-gnutls-dev \ libssl-dev \ ant \ jq \ vim \ zlib1g-dev \ python3 \ python3-dev \ python3-pip \ python-setuptools
I have a problem that is not addressed here
Whether it’s a cryptic build error or just confusing results, don’t hesitate to contact our support for personalized assistance.