How to evaluate a package with Tidelift's web UI and CLI

When you're trying to minimize the new risk that you are bringing in through open source, its important to take a close look at any new packages your teams bring in. It's important to know how a package stacks up against your organization's risk tolerance. In this article, we'll explore two built-in Tidelift tools that can be used to evaluate packages: the Tidelift CLI and the Tidelift UI. 

Tidelift CLI

When using the Tidelift CLI for evaluating a package, the following command is the most useful: 

tidelift releases lookup [PACKAGE-MANAGER] [PACKAGE-NAME] --catalog=[CATALOG-NAME]

As a developer is considering using a new package, this command can be used in their terminal to get information about the package and to see what decisions have been made about the package's releases. This allows for a developer to get deeper insights about a package without having to leave their usual workflow. 

To set up the CLI and for a list of all available commands, see our CLI documentation.

Example command results

tidelift releases lookup pypi urllib3 --catalog=default

urllib3 (pypi)
--------------
HTTP library with thread-safe connection pooling, file post, and more.
Approved releases in catalog
----------------------------
- 2.2.0
   Automatically approved because no standards violations were found
- 2.1.0
   Automatically approved because no standards violations were found
- 2.0.7
   Automatically approved because no standards violations were found
Denied releases in catalog
--------------------------
- 2.0.0a4
   Automatically denied due to standards violations
   - Violations:
     - vulnerability CVE-2023-45803 with severity 4.2 is present
     - vulnerability CVE-2023-43804 with severity 8.1 is present
     - release pypi/urllib3 2.0.0a4 is a prerelease
   - Vulnerabilities:
     - CVE-2023-43804
     - CVE-2023-45803
- 1.25.6
   Automatically denied due to standards violations
   - Violations:
     - vulnerability CVE-2023-45803 with severity 4.2 is present
     - vulnerability CVE-2021-33503 with severity 7.5 is present
     - vulnerability CVE-2020-7212 with severity 7.5 is present
     - vulnerability CVE-2020-26137 with severity 6.5 is present
     - pypi/urllib3 1.25.6 is blocked
     - vulnerability CVE-2023-43804 with severity 8.1 is present
   - Vulnerabilities:
     - CVE-2020-7212
     - CVE-2020-26137
     - CVE-2021-33503
     - CVE-2023-43804
     - CVE-2023-45803
- 2.0.6
   Automatically denied due to standards violations
   - Violations:
     - vulnerability CVE-2023-45803 with severity 4.2 is present
   - Vulnerabilities:
     - CVE-2023-45803
Vulnerabilities for this Package
--------------------------------
- CVE-2018-20060
  Dec 11, 2018
  http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
  urllib3 before version 1.23 does not remove the Authorization HTTP header
when following a cross-origin redirect (i.e., a redirect that differs in host,
port, or scheme). This can allow for credentials in the Authorization header
to be exposed to unintended hosts or transmitted in cleartext.

  [APPLIES]
Lifter Comment:
Upgrade to the latest version of urllib3.
- CVE-2019-11236
  Apr 15, 2019
  http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
  In the urllib3 library through 1.24.1 for Python, CRLF injection is possible
if the attacker controls the request parameter.

  [APPLIES]
Lifter Comment:
Upgrade to the latest version of urllib3. This vulnerability is only relevant
if user input is passed directly into a URL.

Tidelift UI 

All of the above insights are also available via the the Tidelift UI.  Within the Tidelift UI, the package page is how you can access comprehensive package insights before bringing a new package into your applications. A developer can use the Releases tab to see if any releases are already approved for use, or they can use the package page to collect data about a package for what could be required for the approval process.

Screenshot from 2024-03-07 17-38-24.png

To evaluate a package, start with the Tidelift recommendation, as seen next to the package name in the above screenshot. The Tidelift recommendation evaluates a package against a number of criteria to determine whether a package is a good bet to build on for the future. For more information on the Tidelift recommendation, see How Tidelift evaluates packages.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section