When a vulnerability is found, the most important question to answer is: what do I do now?
The answer to this question can be a complex one based on the vulnerability, your organization's risk profile, and other priorities your organization may have. With Tidelift, we give you all the vulnerability context in one place so you can make the right decisions for your teams.
Vulnerabilities information
For each vulnerability, Tidelift first collects the data that you would get from public vulnerability sources, such as the NIST National Vulnerability Database. This includes a description, when the vulnerability was published, and its severity.
Affected releases
Tidelift maps the data which ties specific releases to the vulnerability. This is summarized in the vulnerability tab. On this page, you will see the full list of vulnerabilities that impact a given release.
Removing the risk
With the vulnerability mapped to the affected releases, we provide a simple and clear summary for what versions to use that will remove the given vulnerability. If a partnered maintainer is standing behind the package, there will also be a deeper review that includes any workarounds.
Affected projects
Once you know what the issue is and how to remediate it, the next question is where does the issue exist in your applications. If you are storing and analyzing your data in Tidelift's software, we'll show you a list of projects and branches where an affected release is in use. If you are using our Vulnerabilities API, you will unify affected releases with your applications within your own software.
Insights from the maintainer
Our partnered maintainers also provide exclusive vulnerability recommendations for Tidelift subscribers. This information can be used to identify the impact of a vulnerability and help you prioritize when to address the vulnerability.
Key insights that Tidelift's maintainers provide:
False positive
Some vulnerabilities are false positives due to poor scanners or bad AI-generated reports. False positive vulnerabilities don't need to be remediated.
Likelihood to be affected
When using the package in the most common ways, how likely is it that this vulnerability matters to users? This score can be used to prioritize remediating vulnerabilities that matter.
Build tool / dev dependency usage
Many software dependencies are only used as development, build, or test dependencies. If the vulnerability isn't relevant in these scenarios, you don't need to prioritize fixing it.
Whether specific methods are affected
By noting the specific methods or classes affected by the vulnerabilities, developers can analyze whether their particular usage of the software is vulnerable.
What workarounds are available
Depending on transitive dependencies, toolchain restrictions, or other issues specific to your software, it may be simpler to work around the vulnerability than update to a fixed version. Tidelift provides any maintainer-specified workarounds that can be used.
Insights available across Tidelift
These vulnerability insights are available to Tidelift customers in multiple ways.
Via Tidelift APIs
Tidelift vulnerability insights are also available via Tidelift APIs for importing into your own tools and processes. Example schemas are documented in the Tidelift API reference here and here, sample output below:
In the Tidelift UI
As shown above, Tidelift users can view this information on any vulnerability that affects them.
Via Tidelift reports
Tidelift vulnerability insights are available via the All Projects Violations report which can be integrated into your workflows and tooling to help prioritize and fix issues discovered in your software.