Product update: Prioritize the most impactful work with contextualized end-of-life package and version insights

A few weeks ago, we announced the availability of open source package end-of-life data as part of the Tidelift Subscription. Today we are extending our end-of-life data capabilities with open source package version-level end-of-life data and enhanced reporting capabilities. These new features are designed to help our customers make informed decisions about prioritizing the work that has the most meaningful impact on lowering risks to their revenue, data, and business continuity.

What problem do these new capabilities address? 

There are often significant latent risks associated with using end-of-life open-source packages and versions. When a package or version has been declared end-of-life, any new vulnerabilities affecting the impacted packages and versions will no longer be addressed by the maintainers, leaving the burden of remediation entirely on the users. Our customers have asked us to help them identify and eliminate the risks posed by end-of-life packages and versions, as they often lead to larger issues such as:

• Increased security risks: End-of-life open source software does not receive updates to fix newly discovered vulnerabilities, leaving organizations exposed to exploitation by malicious actors targeting known security flaws in outdated software. The absence of security patches can lead to data breaches, unauthorized access, and other cybersecurity incidents.
• Operational disruptions: When vulnerabilities impact end-of-life open source software, organizations often go into fire drill mode, halting all other planned engineering work to identify the cause and to remediate the issue. This frequently involves re-architecting applications to replace the end-of-life software, which can be an expensive and time-consuming process (especially when unplanned), impacting new feature development and causing service disruptions for end users.
• Regulatory non-compliance: Regulatory standards such as the PCI-DSS certification, cybersecurity requirements for financial services companies, and cybersecurity requirements for medical devices, require that organizations document the maintenance status, support status, and end-of-support date of their software. These requirements do not distinguish between third-party commercial and open source dependencies, meaning non-compliance with end-of-life software can result in significant regulatory penalties and legal repercussions.

What new functionality is Tidelift providing to address these challenges?

Previously, we announced the availability of open source package level end-of-life data. When a package reaches its end-of-life date, the only solution is to re-architect and migrate away from it entirely. Fortunately, complete package end-of-life events are relatively rare. 

A more common issue arises when specific versions of packages become end-of-life, typically due to the release of newer versions with enhanced features or security updates. This still presents a significant problem, as end-of-life versions do not receive updates, leaving users vulnerable in the event of a security issue, with the burden of remediation falling entirely on them.

Unlike complete package end-of-life scenarios, users have a more manageable path to resolution here. By proactively planning to upgrade to the latest supported versions, they can avoid the disruption and expense of emergency fire drills in response to vulnerabilities.

With this latest update, Tidelift not only provides package version end-of-life data but also helps our customers understand the level of risk associated with using outdated versions. We equip customers with meaningful information such as the number of applications utilizing the end-of-life version, the number of vulnerabilities actively affecting the end-of-life version, and the number of major and minor versions separating the end-of-life version from the latest supported version.

How are customers using this functionality? 

Our customers want to proactively prioritize remediation efforts that will have the greatest impact in reducing risks. They are doing this by leveraging our open source software end-of-life data along with our contextualized reporting capabilities to:

Report on end-of-life related risk: Tidelift’s end-of-life data can be turned into reports that can be used to summarize the current risk posed by an organization’s open source software version end-of-life status. This summary is designed for reporting to key stakeholders, and typically occurs before detailed analysis of which specific packages need upgrades or replacements. The focus is on providing a high-level overview of the potential risks and necessary actions related to end-of-life software versions, helping leadership understand the strategic importance of proactive software maintenance and security.

Below is an example of a typical chart that one of our customers is using to contextualize and drive urgency of the level of risk associated with end-of-life software. This chart is a measure of applications that are using end-of-life software, both direct and transitive dependencies, the number of major versions behind from the latest supported version, and the additional filter of number of vulnerabilities impacting the end-of-life version. As expected, the more out-of-date a version, the higher the number of vulnerabilities impacting it. 

Analysis and prioritization of remediation work: Once customers have visibility into the end-of-life packages and versions in their applications, the next step is to analyze and prioritize the work that needs to be done to migrate away from the risk associated with those packages and versions. 

The chart below is a scatter plot of all vulnerabilities impacting end-of-life package versions, with insights on the applications being impacted as well as the gap in time between the impacted versions and the most recent supported version. For example, the package version corresponding with the red dot below should be the highest priority remediation work as it relates to a CVSS score of 9.8, is impacting 47 applications, and is 3.5 major versions behind the latest supported version. Similarly the package version corresponding to the green dot can be a lower priority as it corresponds to a lower CVE score and is impacting only 4 applications.

These insights become even more impactful when combined with recommendations coming directly from Tidelift’s partnered maintainers. Our partnered maintainers are paid to provide insights such as an impact score that quantifies the likelihood of being impacted by a vulnerability, regardless of its CVSS score, as well as recommendations on how to remediate the vulnerability. 

Here’s an example of vulnerability impacting python package urllib3, along with insights about likelihood of impact and remediation recommendations directly from the maintainers of the package. 

The combined value of having reliable end-of-life data, coupled with the ability to contextualize the associated risks and remediation recommendations coming from our partnered maintainers is making our customers more effective than ever before at resolving technical debt, and minimizing the risk of being impacted by vulnerabilities and the associated risks and business impacts.

More to come

Today we’re announcing the availability of package version end-of-life data. We’re also working on providing alternative package recommendations that users can use in the event a package they use becomes end-of-life. Keep checking this space for an update coming soon!

Contact us or read our documentation to learn more about how Tidelift can help you with end-of-life data and to eliminate bad open source packages.