At Tidelift, we want to help organizations solve the problems that keep them up at night.
- What risks are embedded deep inside my organization?
- How will I know that what I’m building on today will be viable for the long term?
- How do I reduce risk before it ends up deployed in my organization?
At Tidelift, we’ve worked hard to surface data and insights across the open source ecosystem, and we make this continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practice available via our API.
The Tidelift data APIs consist of the following APIs. (Note: data APIs are currently in beta. Contact your Tidelift support representative for more information).
Package API
The packages API can be found at:
https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>
Example:
https://api.tidelift.com/external-api/v1/packages/npm/qs
This API returns a set of data that includes, at minimum:
- Name
- Platform
- Purl (aka Package URL)
- Tidelift’s recommendation (recommended, not recommended, not assessed)
- A recommended package has at least one release that does not have issues
- Upstream repository
- SPDX-formatted license of latest release
- Release information (all releases and release dates, specific latest and latest stable releases)
- An assessment of the packages on a number of metrics related to security, development practices, and long-term outlook.
For a full description of data returned, see the API documentation.
Release API
The releases API can be found at:
https://api.tidelift.com/external-api/v1/packages/<platform>/<package_name>/releases/<version>
Example:
https://api.tidelift.com/external-api/v1/packages/maven/antlr:antlr/releases/2.7.1
This API returns a set of data that includes, at minimum:
- Name
- Platform
- Purl (aka Package URL)
- Upstream repository
- SPDX-formatted license
- Tidelift’s recommendation (recommended, not recommended, not assessed)
- Why Tidelift doesn’t recommend the release, if applicable
Reasons Tidelift do not recommend the release will be shown as “violations”. Example violations could be:
- Release has a vulnerability
- Release is a prerelease
- Package has been deprecated upstream
- Release has issues in its direct or transitive dependencies
For a full description of data returned, see the API documentation.
Release dependency API
The release dependencies API can be found at:
Example:
https://api.tidelift.com/external-api/v1/packages/npm/isarray/releases/2.0.5/dependencies
This API returns a paginated list of dependencies, that includes:
- Platform
- Name
- Explicit requirement (including any language-specific range or specifiers)
- Scope
For a full description of data returned, see the API documentation.
Vulnerability API
The vulnerability API can be found at:
https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>
Example:
https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-20066
This API returns a set of data that includes, at minimum:
- The CVE id
- The NIST URL for the vulnerability
- Any additional URL that provides more information
- Description
- Severity (CVSS score)
- Affected packages
- Recommendation for those packages, which can include:
- What to upgrade to, if needed
- If it’s a real issue, or a false positive
- Whether it’s still vulnerable even if the package is only used as a dev/build/test dependency
- Any specific methods that are affected
- Any workarounds that are available
- Recommendation for those packages, which can include:
For a full description of data returned, see the API documentation.
Vulnerability affected releases API
The affected releases API can be found at:
https://api.tidelift.com/external-api/v1/vulnerabilities/<CVE-ID>/affected_releases
Example:
https://api.tidelift.com/external-api/v1/vulnerabilities/CVE-2021-33503/affected_releases
This API returns a paginated list of releases that are affected by the vulnerability, that includes:
- Platform
- Name
- Version
For a full description of data returned, see the API documentation.
Comments
Please sign in to leave a comment.