Reviewing security vulnerabilities

You can ensure that every requested and approved package release is reviewed for known vulnerabilities by enabling the ‘Releases have no vulnerabilities’ standard.

Tidelift maintains a security database of vulnerabilities and is pro-actively reviewing these vulnerabilities. For each, we share a recommended upgrade path and advice from the upstream maintainers. This lets your designated catalog administrator make an informed decision about whether to remove the vulnerable release or create an exception.

How do I set up security vulnerability review?

To ensure all security vulnerabilities are reviewed, turn on the ‘Releases have no vulnerabilities’ standard from the Catalogs > Standards page.

What happens if a package release in my catalog doesn’t meet this standard?

If Tidelift learns about a new security vulnerability on an already-approved package release, we will notify you with a task to review the new security vulnerability. When completing the task, you will be presented with recommendations from Tidelift on how to handle the security vulnerability.

You can choose to either Accept Tidelift’s recommendation or make a decision yourself on how to handle each vulnerable release. Your options include:

  • Replace with an unaffected release – The vulnerable release is denied on a specified date, a newer and unaffected release of the same package is approved for use immediately.
  • Remove the vulnerable releases – The vulnerable release is denied on a specified date, no other release is approved.
  • Create an exception - The vulnerable release stays approved in your catalog.

When choosing to deny the vulnerable release, the catalog administrator can specify the date that the vulnerable package release will become denied, giving developers a buffer period in which they can make the requisite changes to their repositories. To deny the release immediately, select today’s date.

What happens when a newly requested release doesn’t meet this standard?

If a newly requested release contains a security vulnerability and this standard is turned on, you will be warned that the release contains a standards violation. You can review the vulnerability and all related information before deciding whether to approve or deny the request. Approving the request creates an exception.

Creating and removing exceptions

You can review the exceptions created for this standard by selecting Catalogs > Standards > Releases have no vulnerabilities > View exceptions.

You are able to view the list, create new exceptions, remove exceptions, and export as a CSV.