Available data APIs

At Tidelift, we want to help organizations solve the problems that keep them up at night.

  • What risks are embedded deep inside my organization?
  • How will I know that what I’m building on today will be viable for the long term?
  • How do I reduce risk before it ends up deployed in my organization?

At Tidelift, we’ve worked hard to surface data and insights across the open source ecosystem, and we make this continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practice available via our API.

The Tidelift data APIs consist of the following APIs. (Note: data APIs are available for select customers. Contact your Tidelift support representative for more information).

Package API

Note: The links below will require an active API key. They will return an error message without one.

The packages API can be found at:
https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>

Example:
https://api.tidelift.com/external-api/v1/packages/npm/qs

This API returns a set of data that includes, at minimum:

  • Name
  • Platform
  • Purl (aka Package URL)
  • Tidelift’s recommendation (recommended, not recommended, not assessed)
    • A recommended package has at least one release that does not have issues
  • Upstream repository
  • SPDX-formatted license of latest release
  • Release information (all releases and release dates, specific latest and latest stable releases)
  • An assessment of the packages on a number of metrics related to security, development practices, and long-term outlook.

For a full description of data returned, see the API documentation.

This API is also available in bulk form, where you can request information on up to 1000 packages at once.

 

Release API

The releases API can be found at:

https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>/releases/<version>

Example:

https://api.tidelift.com/external-api/v1/packages/maven/antlr:antlr/releases/2.7.1

 

This API returns a set of data that includes, at minimum:

  • Name
  • Platform
  • Purl (aka Package URL)
  • Upstream repository
  • SPDX-formatted license
  • Tidelift’s recommendation (recommended, not recommended, not assessed)
    • Why Tidelift doesn’t recommend the release, if applicable

Reasons Tidelift do not recommend the release will be shown as “violations”. Example violations could be:

  • Release has a vulnerability
  • Release is a prerelease
  • Package has been deprecated upstream
  • Release has issues in its direct or transitive dependencies

For a full description of data returned, see the API documentation.

This API is also available in bulk form, where you can request details on up to 1000 releases at once

 

Release dependency API

The release dependencies API can be found at:

https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>/releases/<version>/dependencies

Example:

https://api.tidelift.com/external-api/v1/packages/npm/isarray/releases/2.0.5/dependencies

This API returns a paginated list of dependencies, that includes:

  • Platform
  • Name
  • Explicit requirement (including any language-specific range or specifiers)
  • Scope

For a full description of data returned, see the API documentation.

 

Vulnerability API

The vulnerability API can be found at:

https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>

Example:

https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-20066

 

This API returns a set of data that includes, at minimum:

  • The CVE id
  • The NIST URL for the vulnerability
  • Any additional URL that provides more information
  • Description
  • Severity (CVSS score)
  • Affected packages
    • Recommendation for those packages, which can include:
      • What to upgrade to, if needed
      • If it’s a real issue, or a false positive
      • Whether it’s still vulnerable even if the package is only used as a dev/build/test dependency
      • Any specific methods that are affected
      • Any workarounds that are available

For a full description of data returned, see the API documentation.

 

Vulnerability affected releases API

The affected releases API can be found at:

https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>/affected_releases

Example:

https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-33503/affected_releases

 

This API returns a paginated list of releases that are affected by the vulnerability, that includes:

  • Platform
  • Name
  • Version

For a full description of data returned, see the API documentation.

 

Using Tidelift APIs

Rate Limits

For individual APIs (package, release, vulnerability), clients should restrict to a maximum of two API calls per second (120 calls / minute)

For bulk APIs (package, release), clients should restrict to a maximum of one call per minute.

If these limits are insufficient for your use case, please contact us.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section