Catalog data sources

Data sources are set for each catalog. Using Tidelift-managed catalogs as data sources, you can enhance your catalog with verified and accurate information. You can set two types of data sources for your organization's catalog:

1. Licensing information (ie. the license for each package in your catalog)

These catalogs give you verified license data for their included packages. You will be able to apply a license policy without researching and correcting the licenses on these packages yourself.

Default: Data sources for licensing information are set to Tidelift's license-annotated catalogs. Data from the upstream package managers are a source of license information that cannot be removed.

Impact on tasks: If you are using the "Releases use approved licenses" standard, you should see fewer 'unknown license' tasks when receiving license information as a data source. Tasks will also show you when a data source has corrected the licensing information.

2. Security vulnerability recommendations (ie. upgrade advice for each vulnerability affecting packages in your catalog)

These catalogs give you vulnerability resolution recommendations. When you review security vulnerability tasks, you will see recommended actions based on how these catalogs handled those same vulnerabilities.

Default: Data sources for vulnerability recommendations are set to Tidelift's security-advised catalogs.

Impact on tasks: If you are using the "Releases have no vulnerabilities" standard, you will continue to receive tasks to notify you about new vulnerabilities. These tasks may now contain recommendations from your data sources, and you can use these recommendations to complete the tasks faster.  


Using catalog release information

In addition to licensing information and security vulnerability recommendations, it is possible to force your catalog to be a subset of any of Tidelift's catalogs. For more information, read Using Tidelift-approved releases