I’ve heard about the old days... when software came on CD-ROMs shipped in boxes, and product people like me celebrated a big release with press releases and parties, and customers could rip open their new boxes and start playing around like a new toy on their birthday.
Here at Tidelift, we live in a world where cool new product features ship every day. We ship so much good stuff so fast, that unless we make a conscious effort, we’ll forget to celebrate how far we’ve come.
I for one love a good party 🎉, so we’re going to combine a little of the old with the new. Once a quarter I’m going to write a blog post like this to share all of the amazing stuff we’ve been working on to help our customers move fast and stay safe when building applications with open source.
We’ve also scheduled a followup webinar for anyone who wants to see the new features in action or ask specific questions.
Let's dive in!
Over the last quarter, we’ve focused development work on some new features that help our customers move fast:
It is now easier than ever for the people on your team who manage your catalog (legal, development, and security) to complete their work in a more streamlined and efficient way. Our recent updates reduce cognitive load for these users while making it easier to build a paved path of approved open source components.
Catalog managers can now easily filter tasks by type, while also sorting CVEs based on score. This brings more focus and clarity to the tasks they should be prioritizing. We’ve also ensured decision making is more efficient with a consistent and cohesive experience for remediating catalog tasks using relevant data, including Tidelift’s catalog recommendations. Additionally, multiple standards violations appear as multiple tasks which makes it easier for catalog managers to address tasks in a centralized manner.
This feature was requested by several of our enterprise customers who are already benefiting from the new updates.
Image 1: Specific security CVE, with details on when the CVE was published, affected packages, and releases. It also shows Tidelift recommendations on how to address the CVE.
The Tidelift catalog contains the open source packages reviewed by Tidelift. All packages included in this catalog adhere to the same set of enterprise standards. With the Tidelift catalog, users can immediately get a baseline measurement of their open source health, and in most cases, clear recommendations on which packages should or should not be used.
Organizations can also improve the overall health or their open source, with recommendations on how to address security vulnerabilities and deprecated packages.
Future updates to the Tidelift catalog will make it possible for both partnered maintainers and customers to align to this single Tidelift catalog. Maintainers will be able to align their projects directly with the Tidelift catalog making it easier to flag and annotate issues with their dependencies.
Image 2: In the image below you can see where to access the Tidelift catalog.
We’ve also shipped several new features designed to help our customers stay safe when using open source to build applications:
Many of our customers have asked us for better visibility and traceability within their preferred workflows. We aim to please, and have now delivered the necessary integrations to make this happen. Several organizations are already using this feature to easily extract a current software bill of materials (SBOM) and integrate it into their own desired workflows or business intelligence tools.
This functionality can also be used to ensure your organization has up-to-date records of the packages being used, track when specific packages originally entered the development lifecycle, and to create SBOM diffs within the tooling of your choice.
Image 3: A typical output of the SBOM obtained using the API
We’ve made several updates improving our customers’ ability to set advanced open source standards and policies that improve the overall health and security of the open source software supply chain.
Many of our customers want help addressing and retiring technical debt. With our new up-to-date standard, catalog managers are alerted when a new release of a package is available, making an in-use release out of date. Catalog managers can create policies requiring all releases to be no older than a predefined period of time, denying releases that are too old and informing developers that updates are available and required.
Most organizations prefer not to use the latest release of a package, as there may be undiscovered issues that will be resolved as the release matures. The up-to-date standard makes it easy to determine how far behind the latest release is considered safe to use, without falling too far behind, which would in-turn make updating in the future a difficult task
Image 4: Specific task triggered when a release becomes out-of-date. The Tidelift recommendation includes version guidance and suggested solutions.
It is now easier than ever for catalog managers to track and update license information, at scale, for packages that require human review of licenses.
Tidelift has a thorough package evaluation process during which we assign a license to packages when the license is entered with an SPDX style in the license field on the package. We also map common non-SPDX style license entries to the correct format. However, in the event where license information is inconclusive, typically due to spelling mistakes, missing license information, or internal packages; we require human review of license information.
With this new standard, catalog managers receive notifications when a license requires human review with the ability to update the license, or to tag a license as “Internal” or “NONE” in the case of an internal package.
Image 5: License requires human review notification with description and affected packages and version
The known-package standard alerts catalog managers when a developer requests use of a package that is unknown in official package repositories, either because it is internal, or because of a potentially malicious package taking advantage of a spelling mistake, known as “typosquatting”. Unknown packages can be tracked and administrators can implement a policy requiring all packages to be known. If a package is marked as a known package, it means Tidelift was able to find information about it on official package repositories or that it has been marked as known internally by a catalog manager.
Image 5: Unknown package notification with package description
We are always looking for ways to benefit both our customers as well as our partnered maintainers, which is why we’re excited that maintainers can now create catalog recommendations on their own. This means it is easier for maintainers to provide more actionable recommendations, while it ensures customers can reduce the impact of false positives and receive timely information from the people who know these projects best.
As described previously, both maintainers and customers will be able to align to the Tidelift catalog. We will be working with maintainers to help them act on, create and improve release and vulnerability recommendations relating to their dependency tree. This will result in more accurate, higher-quality, and actionable recommendations via the Tidelift catalog for our customers allowing them to promptly address any open tasks associated with the packages they use.
—
We hope you found this product update useful. Want to learn more about any of these new features? Register and watch our product webinar which will include a live demo of all the new features. You can also visit our documentation page to learn more.
Please stay tuned for future product updates!
Wishing you all happy holidays!