The JSON output of the Tidelift CLI for alignments includes detailed information, including information on approved, denied, and requested packages, and summary statistics.
For users who want to perform nuanced decisions based on Tidelift alignment output, or want to store Tidelift assessment of their software's packages, here is a guide to the Tidelift alignment JSON output.
Full alignment JSON output (click to expand)
{
"organization": "Weyland-Yutani--Inc",
"files": "requirements.txt, pip-resolved-dependencies.txt",
"alignment_pct": 40,
"unapproved": [],
"approved": [
{
"platform": "pypi",
"name": "asgiref",
"version": "3.7.2",
"newly_introduced": false,
"scope": "production",
"violations": []
},
{
"platform": "pypi",
"name": "sqlparse",
"version": "0.4.4",
"newly_introduced": false,
"scope": "production",
"violations": []
}
],
"upcoming_denials": [],
"denied": [
{
"platform": "pypi",
"name": "Django",
"version": "4.2",
"newly_introduced": true,
"scope": "production",
"violations": [
{
"catalog_standard": "vulnerabilities",
"vuln_id": "CVE-2024-24680",
"severity": "7.5",
"title": "vulnerability CVE-2024-24680 with severity 7.5 is present"
... {
"platform": "pypi",
"name": "uWSGI",
"version": "2.0.24",
"newly_introduced": true,
"scope": "production",
"violations": [
{
"catalog_standard": "allowed_licenses",
"note": "Automatically denied due to standards violations",
"license": "GPL-2.0",
"title": "license GPL-2.0 is present"
}
]
},
{
"platform": "pypi",
"name": "urllib3",
"version": "1.26.12",
"newly_introduced": true,
"scope": "production",
"violations": [
{
"catalog_standard": "vulnerabilities",
"vuln_id": "CVE-2023-45803",
"severity": "4.2",
"title": "vulnerability CVE-2023-45803 with severity 4.2 is present",
"lifter_recommendation": {
"impact_score": 1,
"impact_description": "No exploits from real world were reported",
"real_issue": true,
"includes_dev": true,
"specific_methods_affected": false,
"other_conditions": true,
"other_conditions_description": "Both of the following conditions must be true to be affected by this vulnerability:\n– If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n– The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.",
"workaround_available": true,
"workaround_description": "Disable redirects for services that you aren't expecting to respond with redirects with redirects=False.\nDisable automatic redirects with redirects=False and handle 303 redirects manually by stripping the HTTP request body."
}
},
{
"catalog_standard": "vulnerabilities",
"vuln_id": "CVE-2023-43804",
"severity": "8.1",
"title": "vulnerability CVE-2023-43804 with severity 8.1 is present",
"lifter_recommendation": {
"impact_score": 2,
"impact_description": "Usage of the Cookie header is rare with urllib3. This is more common and useful in browsers. Redirections to another origin are also not the common case.",
"real_issue": true,
"includes_dev": true,
"specific_methods_affected": true,
"specific_methods_description": "Users of the Cookie header might be affected.",
"other_conditions": true,
"other_conditions_description": "This only affect requests that might be redirected to another origin.",
"workaround_available": false
}
}
]
}
],
"requested": [],
"warning": null,
"no_new_introduction": [],
"query_count": 0,
"catalog": {
"display_name": "Weyland-Yutani, Inc. catalog",
"name": "default",
"id": "3e2c9b46-2058-44f1-a59f-69d70171a1df"
},
"alternatives": [
{
"platform": "pypi",
"name": "Django",
"in_use": [],
"not_in_use": [
"3.1.14",
"4.2.10",
"4.2.11"
]
},
{
"platform": "pypi",
"name": "urllib3",
"in_use": [],
"not_in_use": [
"1.25.14",
"2.1.0",
"1.11.99",
"1.23.235",
"1.26.18",
"2.0.7"
]
}
],
"statistics": {
"total_count": 5,
"approved_count": 2,
"approved_percent": 0.4,
"unapproved_count": 0,
"unapproved_percent": 0,
"denied_count": 3,
"denied_percent": 0.6,
"requested_count": 0,
"requested_percent": 0,
"newly_introduced_count": 3,
"newly_introduced_percent": 0.6,
"warning_count": 0,
"warning_percent": 0,
"no_new_introduction_count": 0,
"no_new_introduction_percent": 0
},
"production_statistics": {
"total_count": 5,
"approved_count": 2,
"approved_percent": 0.4,
"unapproved_count": 0,
"unapproved_percent": 0,
"denied_count": 3,
"denied_percent": 0.6,
"requested_count": 0,
"requested_percent": 0,
"newly_introduced_count": 3,
"newly_introduced_percent": 0.6,
"warning_count": 0,
"warning_percent": 0,
"no_new_introduction_count": 0,
"no_new_introduction_percent": 0
},
"baseline_alignment": {
"number": 36,
"date": "2024-03-02T09:36:56.386Z"
},
"status": "failure",
"revision": "20240305225227",
"details_url": "https://tidelift.com/scans/f9fd1fa1-806a-436d-8b6b-f4012c1433b9"
}
Fields are as follows:
- organization: The organization that this alignment was run for
- files: The manifests, lockfiles, or SBOMs that Tidelift processed
- alignment_pct: What percentage of releases in the alignment met all relevant standards, as a number from 0-100
- unapproved, upcoming_denials, requested, no_new_introduction, warning, query_count: legacy fields, not used
- approved: a list of releases that met all relevant standards
- denied: a list of releases that failed any relevant standard
- Each release has the following fields:
- platform, name, version: the platform, package name, and version of the release
- newly_introduced: whether this release is new since the last baseline alignment
- scope: whether it's a production, development, or test dependency
- violations: a list of violations of relevant standards for the release
- Each violation has its own fields. All violations will have:
- catalog_standard: the standard that was violated
- title: a string description of the violation
- Different types of violations will have different fields
- In the license example above, you can see "license", which is the license that violated the standard
- In the vulnerability example above, you can see:
- vuln_id: the identifier of the vulnerability. This is normally the CVE id for vulnerabilities that have a CVE
- severity: the CVSS score for the vulnerability from NIST
- lifter_recommendation: First party information from Tidelift's partnered maintainers about the vulnerability. This includes:
- real_issue: is this a real issue, or a false positive?
- false_positive_reason: If real_issue is "false", a description of why it's a false positive
- impact_score: How likely typical usage is to be affected, on a 0-10 scale
- impact_description: A more detailed explanation of how typical usage is affected
- includes_dev: Whether you would be affected by the vulnerability if you only use this package in a development or test capacity
- specific_methods_affected: Whether this vulnerability only affects certain methods or ways of being invoked
- specific_methods_description: If specific_methods_affected is "true", a more detailed explanation of specific_methods_affected
- other_conditions: Whether any other relevant conditions would trigger the vulnerability
- other_conditions_description: If other_conditions is "true", A more detailed explanation of other_conditions
- workaround_available: Whether a workaround is available
- workaround_description: If "workaround_available" is true, a more detailed description of the workaround
- Each violation has its own fields. All violations will have:
- catalog: The catalog that this alignment was performed against
- name: Name as used when referencing the catalog in the API. This is also referred to as a "slug"
- display_name: How the catalog's name is show in the Tidelift user interface
- id: The uuid of the catalog
- alternatives: For any denied releases, what alternatives can be used that do not have violations
- platform, name: The platform and package name of the denied release
- in_use: A list of alternative violation-free versions that are currently in use in other projects aligned to this catalog
- not_in_use: A list of alternative violation-free versions that are not currently used by other projects aligning to this catalog
- statistics: A dictionary of statistics categorizing the number of releases in each category (denied, approved, etc) as both raw numbers and percentages. This is useful if you want to make a nuanced determination of what number of an issues is a problem for you. Example fields:
- total_count: the total number of releases
- approved_count
- approved_percent (range: 0-1)
- denied_count
- denied_percent (range: 0-1)
- newly_introduced_count: the number of denied releases that are newly introduced since the baseline alignment. This is useful if you want to track regressions from previously used code.
- production_statistics: The dictionary from "statistics", with all numbers filtered to the number of "production" scoped dependencies. This is useful if you only want to act on issues in code that is used at runtime, not during build or testing. This contains the same fields as "statistics".
- baseline_alignment: The prior alignment that is used when determining whether a release is "newly introduced".
- number: the alignment number
- date: the date of the alignment
- status: the overall status of the alignment. This will be "success" if the alignment percentage is 100, and "failure" otherwise. If you want to make a more nuanced decision, inspect the individual fields rather than using this status.
- revision: the revision used for the alignment. This is either the revision passed to the "tidelift alignment" command, or the one calculated by the CLI if none was provided.
- details_url: a link to where the results of the alignment can be viewed in the Tidelift user interface by users with appropriate permissions