SonarSource SA, which does business as Sonar, said today that it has signed a definitive agreement to acquire Tidelift Inc., a provider of services to manage open-source components. Terms weren’t disclosed.

Sonar, which sells tools that check software code for bugs, inconsistencies and security flaws, said the deal will help round out its offerings in the areas of software supply chain security, extending its coverage to include open-source libraries in addition to code built by business developers.

“Today, Sonar addresses risks in third-party code through static code analysis,” said Harry Wang, Sonar’s vice president of growth and new ventures. “The acquisition of Tidelift greatly expands Sonar’s ability to bring curated, human-verified open-source software vulnerability intelligence to our developer users.”

Open-source software is ubiquitous in commercial products. Black Duck Inc.’s 2024 Open Source Security and Risk Analysis Report said 96% of commercial code bases contain open-source code and the average application number has 526 open-source components.

Because open-source software is free for anyone to modify, it is also easily compromised. Sonartype Inc. recently said it counted nearly 513,000 malicious packages in open-source software in the past year, a 156% increase over the previous year.

Tidelift, which has raised $73.5 million according to the business database Crunchbase, helps improve the health and security of open source by paying the maintainers of thousands of the world’s most popular open source projects to follow industry-leading secure software development practices. It says paid open-source maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers.

Sonar focuses on organizations that build software for their own use. Its technology provides insights into security issues, alerts and remediation assistance, services that are likely to be extended to open-source projects following the acquisition.

Founded in 2017, Tidelift has a long open-source pedigree. Co-founder Donald Fischer (pictured) was previously chief executive officer of Typesafe Inc., now Lightbend Inc., which built infrastructure software based on open-source components. He was also an executive at Red Hat Inc.

Co-founder Havoc Pennington was also at Typesafe and was one of the original developers of Gnome, an open-source desktop environment for Linux and other Unix-like operating systems. Tidelift customers include Cisco Systems Inc., the Federal National Mortgage Association and the U.S. Air Force.

Sonar said it will continue to make the Tidelift offering available for the immediate future and customers and maintainer partners won’t experience any disruptions. The company said further details will be provided in the first quarter of 2025.

“We expect to announce new capabilities for SonarQube in the first half of 2025,” Wang said, referring to Sonar’s core platform. “These new capabilities will cover all code, including open source and third-party libraries, depending on customer access.”

Photo: SiliconANGLE