Skip to main content

export

Descriptionโ€‹

Safely exports a software package from the local package store to a user-specified location. Packages are referenced by their purls, as registered in the rl-secure package store.

This functionality is equivalent to the Download File option in Spectra Assure Portal File Stream and Projects.

Software package integrity is automatically verified in the package store before exporting the file to the user-specified location.

It's also possible to check the integrity of a software package in the package store without exporting it. To do this, use the --check-only option in the command. Failed hash verification will result in an error, and if the command is used in a CI/CD setting, the build is expected to fail as well.

The export command allows exporting software packages that have failed the quality assurance testing and/or the integrity verification. When you first try to export a software package with the FAIL status, the command output warns about the issue and prevents the package from being exported. Adding --allow-bad-quality or --allow-bad-integrity options to the command will override the export restriction.

Exporting potentially harmful packages

Using --allow-bad-integrity is highly discouraged. Generally, integrity errors in software packages are likely due to file tampering. Exporting such software packages should only be done by security teams to review the packages for signs of malicious intent.

Usageโ€‹

rl-secure export <purl> <file-path> [<options>]

rl-secure export --purl=<purl> --file-path=<file-path> [<options>]

Optionsโ€‹

OptionDescription
-p, --purlRequired. Package URL of the software package you want to export from the rl-secure package store. Must be in the format [pkg:type/]<project></package><@version>. The purl must be specified first in the command, before the --file-path (and any other options).
--file-pathRequired. Destination file path where the exported software package file will be copied. The output file name must be specified, but does not need to match the original file name.
-s, --rl-storePath to an initialized package store containing the package URL to export. If you don't specify the path, the current directory is used.
--allow-bad-qualityExport the package even if it failed software quality assurance testing.
--allow-bad-integrityExport the package even if it failed integrity verification.
--check-onlyCheck the integrity of the software package in the package store without exporting it.
--replace, --silentDon't prompt about replacing the file when it already exists in the destination file path.
--no-trackingDon't display progress bars.
--no-colorDon't color the output.
-h, --helpDisplay usage information and exit.

Examplesโ€‹

Export a software packageโ€‹

This example exports a software package from the package store as a file with the user-specified file name into a directory on the local system.

Because we have previously exported the same software package with the same file name into that directory, the command output prompts us to replace the existing file. To prevent this, you can use the --silent option with the command.

The command expects the package store to exist in the current directory. Use the -s or --rl-store options to provide an alternative path to the package store.

rl-secure export my-project/my-package@1.0 /home/armando/Downloads/output_file