About projects and bill of materials

You can track projects with the Tidelift Subscription. Each project represents a repository or application at your organization that contains open source.

Tidelift uses the package files from your project to generate a software bill of materials, or a list of all the packages being used in this project. There is no limit to the number of package files that can be associated with each project, and you can use package files from multiple ecosystems (eg. A project could contain, for example, both JavaScript and Java open source packages.) These bill of materials can be updated over time.

Obtaining a bill of materials

Read here on how to start tracking a project and creating a bill of materials.

Viewing bill of materials

The full bill of materials lists all of the releases contained in a project. You can access the latest bill of materials for a project from Projects > Select a version from project history > Bill of materials. For each package in the bill of materials, you can see:

• The specific release
• The license
• The dependency chain of how it was brought in
• Whether it's used at runtime or development
• If the package is approved for use or not in the project's open source catalog

Bill of materials can be exported as a CSV or in SPDX and CycloneDX formats.

Learning about security vulnerabilities or licensing issues in a bill of materials

The bill of materials indicates if a package release is approved or denied for use in the project's open source catalog. If a package release is denied for use, information may be included regarding why the package has been denied.  Developers are then provided with actionable next steps (such as upgrading to an approved release).

To learn about any potential issues for new package releases, you should request or import these packages into the catalog. You'll then be made aware of the relevant standards violations, reducing noise and false positives. Read more about catalog standards work here.