Data sources are set for each catalog. Using Tidelift-managed catalogs as data sources, you can enhance your catalog with verified and accurate information. You can set two types of data sources for your organization's catalog:
1. Licensing information (ie. the license for each package in your catalog)
Default: Data sources for licensing information are set to Tidelift's license-annotated catalogs. Data from the upstream package managers are a source of license information that cannot be removed.
Impact on tasks: If you are using the "Releases use approved licenses" standard, you should see fewer 'unknown license' tasks when receiving license information as a data source. Tasks will also show you when a data source has corrected the licensing information.
2. Security vulnerability recommendations (ie. upgrade advice for each vulnerability affecting packages in your catalog)
Default: Data sources for vulnerability recommendations are set to Tidelift's security-advised catalogs.
Impact on tasks: If you are using the "Releases have no vulnerabilities" standard, you will continue to receive tasks to notify you about new vulnerabilities. These tasks may now contain recommendations from your data sources, and you can use these recommendations to complete the tasks faster.
Using catalog release information
In addition to licensing information and security vulnerability recommendations, it is possible to force your catalog to be a subset of any of Tidelift's catalogs. For more information, read Using Tidelift-approved releases.