Overview of Tidelift open source intelligence

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices. Here is a breakdown of the types of data available in a Tidelift data subscription.

Automated, structured, and centralized data

Tidelift scans data from upstream package manager ecosystems and from upstream source repositories. This data is easily accessible in one centralized Tidelift location, saving customers the time and resources required to find key information on public open source packages. 

Scraped information, powered by Libraries.io, includes things such as:

  • Lists of releases and release dates
  • Upstream license information
  • Upstream source repository location
  • Per-release dependencies, as specified in package manager metadata

Tidelift then enhances this scraped data with additional sources of scraped information, including:

  • Source repository maintenance (Last commit date, contributions, issues, and pull requests over the past year)
  • OpenSSF scorecard information (whether releases are signed, whether binary artifacts are present, and more)

This enhanced scraped data is only available with a Tidelift Subscription.

Tidelift human-researched data

Tidelift works to research data on open source software when it can’t be scraped reliably.

Normalizing data

When license information is unclear or nonstandard upstream, Tidelift works to normalize it. When license information is missing, Tidelift researches it so that our customers can have confidence. Tidelift has normalized and researched licenses for over one million software releases, and this data is only available with a Tidelift Subscription.

Analyzed and researched data

Tidelift uses the raw scraped data, analyzes it for patterns, and performs research to provide conclusions to our customers.

For example

Tidelift analyzes the contribution statistics that have been scraped to determine whether a package might be unmaintained. If it appears unmaintained, then Tidelift researches a number of criteria (maintainer activity elsewhere, documentation and repository markers, public statements) to determine whether the package is actually unmaintained, and makes that information available to Tidelift subscribers.

Tidelift uses this information to then analyze releases. Releases are assessed on a number of criteria, not just vulnerabilities, and assessed for suitability. Criteria that Tidelift analyzes releases on include:

  • Is the package unmaintained
  • Has the package been deprecated
  • Is the release a prerelease
  • Is the release affected by any vulnerability
  • Has the release been removed from upstream
  • Is the release more than 7 years old

Tidelift then combines this information with information on the releases’ dependencies, to determine whether any of the releases’ dependencies have any of these issues. Tidelift consolidates this into a recommendation field that lets you know whether using this release will bring any issues into your environment, either directly or indirectly through transitive dependencies–and if it will, Tidelift tells you what those issues are.

In addition, Tidelift provides additional analyzed quality checks relating to security, development practices, and long-term outlook such as:

  • Whether there’s a security policy for the package
  • Whether the package seems responsive to security issues

All normalized, analyzed, and researched data is only available with a Tidelift subscription.

First party maintainer data

Tidelift works directly with open source maintainers to get expert information on the packages they maintain, including their development practices, and issues that affect the packages. Tidelift also pays those maintainers to improve their packages’ development practices and security posture.

Among the data Tidelift provides directly from maintainers:

  • Reviews of who has publishing rights  on upstream package managers to ensure only those who should push releases can
  • Assertion of multi-factor authentication for both contributing code and publishing releases
  • Detailed recommendations on vulnerability handling, including:
    • Available workarounds
    • Specific affected methods and access patterns (such as whether it affects usage in development and testing, or only production)
    • Are issues false positives, and why

This information directly from maintainers is only available with a Tidelift subscription.


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section