Integrating Tidelift data with other services

Tidelift’s APIs and reports make it easy to combine Tidelift’s data with other data sources in the tools your organization uses to organize work efforts.

What can you do with Tidelift data?

Tidelift’s APIs and reports provide plenty of information to help decide which issues with your open source application dependencies make sense for your team to remediate or eliminate first.

Identify the most actionable dependencies

Issues often arise in transitive dependencies – dependencies of dependencies. Most of the time you can’t directly fix the transitive dependencies, but you can upgrade or swap out the direct dependency.

Isolate issues of a specific type

There can be one or more different types of issues (for example, security vulnerabilities or licensing issues) for a single package and version! You can filter on the type of issue to constrain reports to.

Target specific attributes

Tidelift provides deeper information on why particular dependencies are bad for your organization to keep using. You can filter on violation details to, say, only focus on security vulnerabilities with a High or Critical score.

Integrating Tidelift data with other sources

Integrating Tidelift data with other data sources requires matching on one or more facets, a piece of data to identify a record among a large set of records. Tidelift’s APIs and reports focus on the following facets:

  • Releases – A combination of ecosystem (RubyGems, npm, etc), package name (active_admin, vue), and version number (1.2.3, 3.2.25) – npm vue 3.2.25
    • Releases can also be represented as purls – Package URLs – pkg:npm/vue@3.2.25
  • Packages – Just the ecosystem and package name part of a release – npm vue
    • Packages can also be represented as purls — Package URLs ­­— pkg:npm/vue
  • Projects – A repository or application in your organization that contains open source software – libraries-io

As long as the data in another tool includes one of these facets, you can integrate Tidelift data with those data sources:

  • Vulnerability analysis tools like Contrast Security, Sonatype, or Veracode
  • Risk analysis tools like Kenna
  • Internal business tools that unify Tidelift’s reporting data with application lifecycle information

Ensuring developers have a concise set of package migration work

It’s quite possible for a package or version of a package to have one or more violations, and even more than one of the same type of violation! Additionally, more violations may be discovered for the package or version as time moves on. To ensure you’re not creating duplicate tickets or counting packages more than they need to be in calculations, it’s best to build a unique composite key based on your organization’s needs.

For example, if your use case is to group actions by the following:

  • Transitive package + version
  • Direct package + version (if found)
  • Project name

You could construct the unique identifier using these report fields and code that looks like this:

identifier = [violating_purl, direct_purl, project].join('-')
identifier = sha256(identifier)

The purl fields contain the package URL for the violating or direct package, which includes the ecosystem, package name, and version.

Prerequisites 

For these examples, you will need a Tidelift subscription, as well as:

  • A catalog with at least one catalog standard enabled
  • A project associated with that catalog
  • A saved alignment with at least one violation

Keep in mind that the interfaces for the tools below may change unexpectedly. Adjust your use of them accordingly.

Targeting the solutions that will have the most risk impact in Microsoft Power BI

Power BI is a business intelligence tool that runs on Windows desktop and on the web. It can ingest and dig into JSON data like Tidelift’s All Project Violations report, which means you don’t need to expand individual JSON records into separate columns, making database table schema easier to work with. This assumes you have access to the web interface of Power BI and are comfortable with:

  • Working with KQL databases, and that you have one already created
  • Uploading CSV or JSON files into those databases and creating schemas for them
  • Writing KQL queries
  • Building a report from the results of a KQL query

(Writer’s note: I’m not the most experienced of Power BI users. If you know what you’re doing, you should be able to get a much better result and workflow than this!)

Steps

  1. Download a copy of the All Projects Violations report (in JSON format) from your catalog’s Reports page:

    tidelift_reports.png

  2. Load the local JSON report data into a new table called tl_all_projects_violations. Ensure the format is JSON and that, under Advanced Options, Nested levels is set to 1:

    upload_local_data.png
    json_import_settings.png

  3. Run the following KQL query to examine how you can filter Tidelift JSON data for vulnerabilities that are rated High or Critical:
    tl_all_projects_violations
    | where violation_type  == "vulnerabilities" and (
      violation_details.vulnerability.severity_rating == "High" or
      violation_details.vulnerability.severity_rating == "Critical"
      )
    | extend cve_id = tostring(violation_details.vulnerability.id)
    | extend severity_rating = tostring(violation_details.vulnerability.severity_rating)
    | project action_id, ['project'], platform, violating_package, violating_version,
      cve_id, severity_rating
    

    kql_query.png

  4. Build a Power BI report for the results:
    • Include all the fields in a Table component
    • Create a Stacked Bar Chart to filter on Projects
    • Create a bar chart to filter on Severity Rating

      final_report.png

Keeping a Jira board up to date with problems that you want your developers to fix

We have an example Python script that will:

  • retrieve the latest All Projects Violations report
  • group violations by violating purl and project
  • create or update issues on a Jira board with the violation details as the issue’s description

This uses the External API to retrieve the All Projects Violations report and requires that you create a Tidelift API key.

Check out the project for implementation details. Note that this is not a full Jira integration!

Steps

  1. Note the Key for your Jira board:

    getting_board_key.png

  2. Create a new Short text field to hold the unique Tidelift identifier for each issue:

    creating_unique_field.png

  3. Get a Jira API token.
  4. Get a Tidelift organization or user API key.
  5. Clone the jira-integration-example repository and follow the instructions. Update .env and config.yml with the settings from above.

    Screenshot_20240524_092319.png

    Screenshot_20240524_092450.png

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section