Understanding Tidelift vulnerability insights

When a vulnerability is found, the most important question to answer is: what do I do now?

The answer to this question can be a complex one based on the vulnerability, your organization's risk profile, and other priorities your organization may have. With Tidelift, we give you all the vulnerability context in one place so you can make the right decisions for your teams. 

Vulnerabilities information

For each vulnerability, Tidelift first collects the data that you would get from public vulnerability sources, such as the NIST National Vulnerability Database. This includes a description, when the vulnerability was published, and its severity as assigned by NIST researchers.

Affected releases

Tidelift uses publicly available data to identify which releases are impacted by a vulnerability. This is summarized in the vulnerability tab. On this page, you will see the full list of vulnerabilities that impact a given release. 

Remediation

With the vulnerability mapped to the affected releases, we provide a simple and clear summary for what versions to use that will remove the given vulnerability. 

Affected projects 

Once you know what the issue is and how to remediate it, the next question is where does the issue exist in your applications. If you are saving alignments in Tidelift, we'll show you a list of projects where an affected release is in use in the latest alignment on the default branch or the last three non-default branches. 

Insights from the maintainer

Our partnered maintainers also provide exclusive vulnerability recommendations for Tidelift subscribers. This information can be used to identify the impact of a vulnerability and help you prioritize when to address the vulnerability.

Key insights that Tidelift's maintainers provide:

False positive

Some vulnerabilities are false positives due to poor scanners or bad AI-generated reports. False positive vulnerabilities don't need to be remediated.

Likelihood to be affected

When using the package in the most common ways, how likely is it that this vulnerability matters to users? This score can be used to prioritize remediating vulnerabilities that matter.

Build tool / dev dependency usage

Many software dependencies are only used as development, build, or test dependencies. If the vulnerability isn't relevant in these scenarios, you don't need to prioritize fixing it.

Whether specific methods are affected

By noting the specific methods or classes affected by the vulnerabilities, developers can analyze whether their particular usage of the software is vulnerable.

What workarounds are available

Depending on transitive dependencies, toolchain restrictions, or other issues specific to your software, it may be simpler to work around the vulnerability than update to a fixed version. Tidelift provides any maintainer-specified workarounds that can be used.

 

Insights available across Tidelift

These vulnerability insights are available to Tidelift customers in multiple ways.

In the Tidelift UI

As shown above, Tidelift users can view this information on any vulnerability that affects them.

Via Tidelift reports

Tidelift vulnerability insights are available via the All Projects Violations report which can be integrated into your workflows and tooling to help prioritize and fix issues discovered in your software.

Via Tidelift APIs

Tidelift vulnerability insights are also available via Tidelift APIs for importing into your own tools and processes. Example schemas are documented in the Tidelift API reference here and here, sample output below:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section