Vulnerability scanning, also referred to as software composition analysis (SCA), has been around for two decades. For most, being alerted about known issues in open source software is essentially a solved problem. Many organizations already check their apps at build or release time, and have processes in place to notify teams about vulnerabilities that need to be fixed.
However, many of these same organizations are still seeing unsolved problems around issues that aren’t directly “you need to upgrade for a fixed vulnerability.”
Here are two common examples:
- They have apps they can’t upgrade, because their dependencies aren’t getting new releases.
- They chose an open source framework that was end-of-lifed two years later.
While many organizations have and use SCA tools, they’ve learned that just addressing SCA results hasn’t helped manage these unsolved risks described above. They want to lower the risk in their applications before it becomes a problem, and know what issues are lurking under the surface.
Enter Tidelift. Along with our in-house data team, Tidelift has built a significant network of partnered open source maintainers. This has allowed Tidelift to undertake research efforts and compile an expansive open source software dataset that is human-researched and maintainer-verified.
This data set includes insights on package licenses, releases, vulnerabilities, development practices, and long-term outlook. Our customers are already using insights from Tidelift’s open source intelligence to make informed decisions and proactively minimize the risks their organization faces from open source software.
How do customers use Tidelift intelligence data?
Faster research for better decisions
The easiest way to avoid having to replace unmaintained open source dependencies is to not bring them in at all. Organizations rely on Tidelift to assist in reviewing new open source software being considered for use, ensuring it:
- Matches their license policy
- Has a history of responding to security and other issues
- Is actively maintained and receiving fixes
- Has financial support to ensure long-term viability
Tidelift provides a one-stop shop for answering these questions and more. Open source program offices save the time they would have spent researching, meaning developers can get answers faster, and security and legal departments have peace of mind by proactively reducing risk.
Continuous knowledge for proactive risk management
Reviewing new open source packages under consideration to understand their security, maintenance, and licensing practices is a good thing. But it’s not a one-time solution. Software can be re-licensed. Maintainers can lose funding to continue maintenance, or can walk away at any time. A framework may no longer be the best solution to the problem and become deprecated.
Tidelift continuously analyzes software so that organizations can be informed of these changes as they happen, not months to years later when a latent vulnerability is discovered and no one’s there to fix it. Engineering organizations get proactive information so they can plan remediation instead of fire-drilling an urgent fix, while security, compliance, and legal departments get peace of mind.
Informed vulnerability mitigation for prioritization
No one wants vulnerabilities. But it can be overwhelming to get a list of vulnerabilities that affect all your direct and transitive dependencies, and not know where to start. Not all vulnerabilities are created equal—some are in development or test dependencies that are never deployed to production. Others may only affect the software when used in certain ways. And still others may be complete false positives, due to a misunderstanding by a bug reporter.
Tidelift works with its partnered maintainers to provide detailed vulnerability information on any vulnerability report that affects their software, including whether it’s a real issue, the likelihood of it being exploited in practice, and what methods or use cases are affected by the issue. Organizations use this data to prioritize fixing the real risks, and not spend time on compliance theater.
What open source intelligence does Tidelift provide?
Automated, structured, and centralized data
Tidelift scans data from upstream package manager ecosystems and from upstream source repositories. This data is easily accessible in one centralized Tidelift location, saving customers the time and resources required to find key information on public open source packages.
Scraped information from Libraries.io, an open source project powered by Tidelift, includes things such as:
- Lists of releases and release dates, to track what’s current and if you’re behind
- Upstream license information, to track against your legal requirements
- Upstream source repository location, to check in on maintenance activity
- Per-release dependencies, as specified in package manager metadata, to know what you’re bringing in beyond a direct dependency
Tidelift then enhances this data with additional sources of information, including:
- Source repository maintenance (Last commit date, contributions, issues, and pull requests over the past year), allowing you to see how a piece of software is maintained
- OpenSSF scorecard information (whether releases are signed, whether binary artifacts are present, and more), giving information on a number of security relevant checks that can aid in decision-making.
Tidelift human-researched data
Tidelift’s team invests time to research data on open source software when it can’t be scraped reliably.
When license information is unclear or nonstandard upstream, Tidelift works to normalize it. When license information is missing, Tidelift researches it so that our customers have accurate information about their license exposure and can make confident decisions about which packages they should be using. Tidelift has normalized and researched licenses for over one million software releases, and this data is only available with a Tidelift Subscription.
Analyzed and researched data
Tidelift uses the raw data, analyzes it for patterns, and performs research to provide conclusions to our customers.
Tidelift analyzes the contribution statistics that have been gathered to determine whether a package might be unmaintained. If it appears unmaintained, Tidelift researches a number of criteria (maintainer activity elsewhere, documentation and repository markers, public statements) to determine whether the package is actually unmaintained, and makes that information available to our customers. Tidelift does this work on behalf of our customers, saving them hours upon hours of research and analysis of contribution details. We also make the raw data available for customers who want to run their own analysis.
Tidelift also uses this information to analyze releases. Releases are vetted on a number of criteria, not just vulnerabilities, and assessed for suitability. Release criteria that Tidelift analyzes includes:
- Is the package unmaintained? Unmaintained software is a security risk.
- Has the package been deprecated? Deprecated software may not get security updates, and will likely become unmaintained.
- Is the release a prerelease? Prerelease software is subject to change, and should be avoided.
- Is the release affected by any vulnerability? You don’t want to start out using something that’s already vulnerable.
- Has the release been removed from upstream? If the maintainer or package manager removed the software, there was a good reason and it should not be used.
- Is the release more than 7 years old? Staying current in technology is the best way to avoid latent issues.
Tidelift then combines this information with information on the releases’ dependencies to determine whether any of the releases’ dependencies have any of these issues. Tidelift consolidates this into a recommendation field that lets you know whether using this release will bring any issues into your environment, either directly or indirectly through transitive dependencies—and if it will, Tidelift tells you what those issues are.
In addition, Tidelift provides additional quality checks relating to security, development practices, and long-term outlook such as:
- Is there a security policy for the package? Maintainers with published security policies are making a commitment to handle security issues properly.
- Are the package maintainers responsive to security issues? Even if the software has no issues now, you want to ensure you are using software where maintainers will be responsive in the future.
First-party maintainer data
Tidelift works directly with open source maintainers to get expert information on the packages they maintain, including their development practices and issues that affect the packages. Tidelift also pays those maintainers to improve their packages’ development practices and security posture.
The data Tidelift gets directly from maintainers includes:
- Reviews of who has publishing rights on upstream package managers to ensure only those who should push releases are able to. Separation of privileges lowers the chance of account compromise leading to malicious software.
- Assertion of multi-factor authentication for both contributing code and publishing releases, which reduces the risk of malicious code injection.
- Detailed recommendations on vulnerability handling, including:
- Available workarounds
- Specific affected methods and access patterns (such as whether it affects usage in development and testing, or only production)
- Are issues false positives, and why
Major organizations are using Tidelift’s open source intelligence today to make better informed decisions about the open source they use, proactively manage risk before it becomes a problem, prioritize the most important fixes and ignore the noise, and handle their external compliance requirements. Learn how Tidelift can bring these benefits to your organization—reach out to Tidelift today!