About projects and bill of materials

You can track projects with the Tidelift Subscription. Each project represents a repository or application at your organization that contains open source.

Tidelift uses the package files from your project to generate a software bill of materials, or a list of all the packages being used in this project. At this time, a project is limited to 100 package files but you can use package files from multiple ecosystems for a single project. eg. A project could contain, for example, both JavaScript and Java open source packages. These bill of materials can be updated over time.

Obtaining a bill of materials

Read here on how to start tracking a project and creating a bill of materials.

Viewing bill of materials

The full bill of materials lists all of the releases contained in a project. You can access the latest bill of materials for a project from Projects > Select an alignment from alignments list > Bill of materials (found in alignment summary). For each package in the bill of materials, you can see:

  • The specific release
  • The license
  • The dependency chain of how it was brought in
  • Whether it's used at runtime or development
  • If the package is approved for use or not in the project's open source catalog

Bill of materials can be exported as a CSV or in SPDX and CycloneDX formats.

Learning about security vulnerabilities or licensing issues in a bill of materials

The bill of materials indicates if a package release is approved or denied for use in the project's open source catalog. If a package release is denied for use, information may be included regarding why the package has been denied.  Developers are then provided with actionable next steps (such as upgrading to an approved release).


To learn about any potential issues for new package releases, you should request or import these packages into the catalog. You'll then be made aware of the relevant standards violations, reducing noise and false positives.

What data does Tidelift look at?

As part of Tidelift's analysis process, it is important to note that Tidelift only receives and looks at data that comes from your package manifests, lockfiles, and dependency graphs resolved on your systems. Tidelift never receives your internal source code as part of our project and bill of materials analysis.

Was this article helpful?
1 out of 1 found this helpful

Articles in this section