Tracking your software dependencies with Tidelift

With Tidelift, you can remove the risk to your organization's revenue, data, and customers from bad open source packages. To get started, first you must track the list of dependencies of your software applications, otherwise called a bill of materials.

This article covers how to begin tracking your applications, which are called "projects" in Tidelift. In this article, you'll learn:

  • What is a project in Tidelift?
  • What revisions of a project should you track in Tidelift?
  • How to create a new project
  • How to upload a manifest or a SBOM to track dependencies
  • How to track projects at scale across your organization

Once you've done this, you can start using Tidelift's reports and metrics to prioritize actions to remediate risk in your environment.

What is a project in Tidelift?

A project is an application, tool, or service in use in your organization that is built on open source code.  For example, a data processing service could be one project, and the frontend code to a web application could be another. Tidelift provides actions and recommendations on remediating risk at the project level.

Tidelift recommends you create a project for each individual piece of software where you would make changes. Most customers create a project for each source code repository they maintain internally. If multiple applications are built out of a large source control repository Tidelift recommends creating a project for each application built from that repository.

NOTE: Tidelift analyzes package manager manifest and lockfiles (usually from a source code repository), as well as software bills of material in CycloneDX and SPDX format. Tidelift does not analyze container images or other built artifacts.

What revisions of a project should you track in Tidelift?

For tracking risk in your organization, Tidelift recommends tracking the versions of software that are deployed in your environment. Generally, this would be the main  or production branch of your source control repository.

How to create a new project, and import a first set of dependencies

You may create projects from the Tidelift web application, or using the Tidelift CLI and API.

From the Tidelift web application

  1. Select Projects
  2. Select Create new project
  3. Name the project you wish to track and Next
  4. Locate the dependency manifests or CycloneDX/SPDX SBOM (software bill of materials) files for your project on your local system, and select Upload files. For a list of supported files, see Supported Ecosystems

From the Tidelift CLI

  1. Ensure you are authenticated to use Tidelift CLI with your User or Organization API Key.
  2. Go to the root directory of your local software project / source control repository.
  3. Run tidelift projects new in the root directory of the project. You will need to provide a name for the project.

How to upload a manifest or SBOM to track dependencies

You may upload manifests and/or SBOMs from the Tidelift web application, or using the Tidelift CLI and API.

From the Tidelift web application

  1. Select Projects
  2. Choose your project
  3. Choose Upload new
  4. Locate the dependency manifests or CycloneDX/SPDX SBOM (software bill of materials) files for your project on your local system, and select Upload files. For a list of supported files, see Supported Ecosystems

From the Tidelift CLI

  1. Ensure you are authenticated to use Tidelift CLI with your Organization or Project API Key
  2. Run tidelift alignment savein the root directory of the project. This will upload any discovered manifests, analyze the dependencies, and create your bill of materials.

How to track projects at scale across your organization

Manually creating and uploading manifests can be useful for small organizations, but at the scale of most enterprises it is not practical.

When using Tidelift at scale in your organization, Tidelift recommends tracking projects in an automated fashion.

The two main ways that organizations use Tidelift at scale are:

Using a periodic sync process with Tidelift

If you have access to your source control hosting system, it is straightforward to perform a periodic sync of your repositories with Tidelift.

For example, a scheduled task every day could:

  • Install the Tidelift CLI
  • Check out the main branch of each repository that is tracked, and:
    • Run tidelift projects new to create the project (ignoring any errors if it already exists)
    • Run tidelift alignment savein the root directory of the project.

This ensures your bills of material are up-to-date and that you can then use Tidelift's reports and metrics to prioritize risk

Using Tidelift within Continuous Integration (CI)

By integrating the Tidelift CLI inside your continuous integration (CI) environment, you can automatically create new bills of materials every time your software is built.

Tidelift provides sample integration scripts for many common CI environments. To learn more about how to use Tidelift within your CI environment, see Workflow Integration.

Tidelift is available to help

Tidelift support is available to ensure that you are successful at scale. Contact Tidelift support for more detailed information on how to integrate at scale in your environment, get sample integration scripts, and more.

What next?

At this point, you should have a bill of materials for a project, and be able to determine what risks are present in the software you're using.  Next, Tidelift recommends working on plans to remediate that risk. To learn more about how Tidelift helps you prioritize and remediate risks, see Tidelift's reports and metrics.

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section