stephen-magill
No user record in our sample, but stephen-magill has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
No user record in our sample, but stephen-magill has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
I think that works provided the cadence isn't too slow. We see an average of 8 to 12 project versions per year being published depending on ecosystem. That matches nicely with the 28 day average MTTU for 2021 in the…
This is something we studied in last year's report. Based on a survey similar to the one described in Chapter 4 we found that a mix of features measuring participation in the open source community was associated with…
This is exactly right. Low MTTU and keeping up-to-date across the transitive dependency tree makes it less likely that vulnerabilities creep in due to those transitive dependencies. I think there's also a certain aspect…
Yep. The question is whether the engineering trade-offs are worth it. Less-used libraries might have more undiscovered bugs that crop up in production and could have lower levels of support as well.
We closely monitor the "fix rate" -- what percentage of issues reported by Lift are ultimately fixed by developers. If the fix rate for a particular tool or type of rule is too low, then we modify how we configure and…
We provide deeper analysis and can surface things like thread safety issues and resource leaks. We also focus very closely on ensuring our tools have low false positive rates and so we tend to have less noisy output.…
We do support Python. Here's an example of a Python scan: https://lift.sonatype.com/result/smagill-lift-demo/posthog/0... That gives an idea of the sorts of results we flag in Python code, though we don't expect people…