SonarSource SA, doing business as Sonar, said today it has signed a definitive agreement to acquire Tidelift Inc., an open source component management service provider. The terms were not disclosed.
Sonar, which sells tools that check software code for bugs, inconsistencies and security flaws, said the deal will help round out its offering in software supply chain security, expanding coverage to include open-source libraries in addition to code built by enterprise companies. developers.
“Today, Sonar addresses risks in third-party code through static code analysis,” said Harry Wang, Sonar’s vice president of growth and new ventures. “The acquisition of Tidelift significantly expands Sonar’s ability to provide curated, human-verified open-source software vulnerability intelligence to our developer users.”
Open source software is ubiquitous in commercial products. In Black Duck Inc.’s 2024 Open Source Security and Risk Analysis Report. states that 96% of commercial codebases contain open source code and that the average number of applications contains 526 open source components.
Because open source software can be modified by anyone for free, it is also easy to compromise. Sonartype Inc. recently said it counted nearly 513,000 malicious packages in open-source software in the past year, a 156% increase from the previous year.
Tidelift, which has raised $73.5 million according to corporate database Crunchbase, is helping improve the health and safety of open source by paying the maintainers of thousands of the world’s most popular open source projects to follow industry-leading secure software development practices. It says that paid open source maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers.
Sonar focuses on organizations that build software for their own use. The technology provides visibility into security issues, alerts and remediation assistance; services that will likely be expanded to open source projects post-acquisition.
Founded in 2017, Tidelift has a long open source history. Co-founder Donald Fischer (pictured) was previously CEO of Typesafe Inc., now Lightbend Inc., which built infrastructure software based on open-source components. He was also an executive at Red Hat Inc.
Co-founder Havoc Pennington was also at Typesafe and was one of the original developers of Gnome, an open-source desktop environment for Linux and other Unix-like operating systems. Tidelift customers include Cisco Systems Inc., the Federal National Mortgage Association and the U.S. Air Force.
Sonar said it will continue to make the Tidelift offering available for the foreseeable future and that customers and maintenance partners will experience no disruptions. The company said further details will be provided in the first quarter of 2025.
“We expect to announce new capabilities for SonarQube in the first half of 2025,” Wang said, referring to Sonar’s core platform. “These new capabilities will span all code, including open source and third-party libraries, subject to customer access.”
Photo: SiliconANGLE
Your show of support is important to us and helps us keep our content FREE.
One click below supports our mission to provide free, in-depth, and relevant content.
Join our community on YouTube
Join the community of over 15,000 #CubeAlumni experts including Amazon.com CEO Andy Jassy, Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more celebrities and experts.
THANK YOU
