Declare network services
The Spectra Assure platform automatically detects a wide range of networking locations and services in your software packages. Those services are typically APIs with one or more endpoints, and Spectra Assure is able to distinguish them from other URIs extracted during software analysis. This capability highlights another aspect of third-party software risk by making it clearer what your software interacts with and in what ways (retrieving information, uploading information, or both).
Detected network services are included in SAFE and CycloneDX reports as part of an extension to the SBOM called the SaaSBOM (Software-as-a-Service Bill of Materials). In addition to providing transparency into detected network services, the SaaSBOM allows software producers to self-declare networking locations that their applications reach out to.
In some cases, your application may interact with a service that is not explicitly marked as such in Spectra Assure analysis reports, or you might want to change some details about a detected service. To do this, you can create a networking filter that will look for a specific pattern and apply your policy configuration changes to all URIs matching that pattern.
If you declare the matching URIs as network services, they will then be visible in the Bill of Materials > Services section of the SAFE report.
Examples in this guide show how to modify the policy configuration for existing projects and packages in a previously created package store. If you haven't yet created any projects and packages, follow the instructions in the quick start guide.
Declaring network services uses the following policy configuration objects and their fields:
networking.protocol.address.service
Consult the policy configuration schema for details on all supported options.
Add a new network serviceโ
In this example, a network service for a software package is missing from the analysis reports. As a software publisher, we want to make sure it's included in all report formats that can display information about network services.
To do this, we're modifying the policy configuration file for the software package (the .package_policy.info file).
When changes are synchronized, the configuration will apply to all versions in that package.
In the configuration file, we're going to create one networking filter to declare a new network service matching a specific URI.
If you needed to declare multiple services with different URIs, you would create a separate filter for each URI. Avoid creating separate filters that target the identical URI pattern, as it may produce unwanted results.
1. Modify package policy settingsโ
1) In the rl-secure package store, navigate to the policy configuration file for the package and open it in a text editor.
In this example, the full path to the file we're editing is /home/armando/my-repository/.rl-secure/projects/my-app/packages/my-app-windows/.package_policy.info.
2) In the .package_policy.info file, add a new networking filter.
- In
protocol, specify one or more protocols that the filter should target. Wildcard matching is supported with the*character. In this example,httpandhttpswill be matched. - To ensure that the filter is applied when analyzing files, set
enabledtotrue. - In
address, specify at least thehostvalue. You can specify other parts of the URI for more precise matching if needed. In this example, we're also specifyingpath. - For every network service you want to declare, add a
serviceobject with details about the service.
policies
{
profile "package_profile"
{
inherit_rules "project_profile"
networking
{
protocol "http*"
{
enabled true
filter
{
address
{
host "*.domain.com"
path "api/v1/user"
author "Spectra Assure"
reason "Declaring network services"
timestamp "2025-03-27T08:38:14+00:00"
service
{
auth true
type "data-exchange"
name "My user service"
version "1.1"
flow "bidirectional"
}
}
}
}
}
}
}
3) Save changes to the file and close it.
2. Apply and verify configuration changesโ
1) To apply your policy configuration changes, run the following command in your package store:
rl-secure sync
The command automatically detects which packages in the package store require synchronization.
Using the sync command does not count towards the monthly analysis capacity.
2) To make sure the new policy configuration is reflected in analysis reports, you have to regenerate them for all applicable package versions:
rl-secure report all --purl=pkg:rl/my-app/my-app-windows@1.0 --bundle=report.zip
3) To confirm that the policy configuration change has been successfully applied, check the SAFE report (rl-html) for details about modified network services.
- In the SAFE report, select Services from the left sidebar.
- Search for the service by name or use filters to narrow down the list of displayed services.
- At least one of the items in the list should match the pattern you defined in the policy configuration. Expand the item to view its Service Card and confirm that the information there matches your policy configuration.
Override an existing serviceโ
In this example, a network service is detected by Spectra Assure and present in the analysis reports. However, the reported version for the service is "Generic", and we would like to be more specific about it.
To do this, we're modifying the policy configuration file for the software package (the .package_policy.info file).
When changes are synchronized, the configuration will apply to all versions in that package.
In the configuration file, we're going to create one networking filter to match the URI of the service and change the contents of the version field.
Because service name and type are required fields in the service object, we have to include them in the filter as well.
1. Modify package policy settingsโ
1) In the rl-secure package store, navigate to the policy configuration file for the package and open it in a text editor.
In this example, the full path to the file we're editing is /home/armando/my-repository/.rl-secure/projects/my-app/packages/my-app-windows/.package_policy.info.
2) In the .package_policy.info file, add a new networking filter.
- In
protocol, specify one or more protocols that the filter should target. Wildcard matching is supported with the*character. In this example,httpswill be matched. - To ensure that the filter is applied when analyzing files, set
enabledtotrue. - In
address, specify at least thehostvalue. You can specify other parts of the URI for more precise matching if needed. In this example, we're also specifyingpath. - In the
serviceobject, set the desiredversionand provide the service name and type.
policies
{
profile "package_profile"
{
inherit_rules "project_profile"
networking
{
protocol "https"
{
enabled true
filter
{
address
{
host "api.example.com"
path "services/*"
author "Spectra Assure"
reason "Modifying a network service"
timestamp "2025-03-27T08:38:14+00:00"
service
{
type "data-exchange"
name "Example API"
version "3.0"
}
}
}
}
}
}
}
3) Save changes to the file and close it.
2. Apply and verify configuration changesโ
1) To apply your policy configuration changes, run the following command in your package store:
rl-secure sync
The command automatically detects which packages in the package store require synchronization.
Using the sync command does not count towards the monthly analysis capacity.
2) To make sure the new policy configuration is reflected in analysis reports, you have to regenerate them for all applicable package versions:
rl-secure report all --purl=pkg:rl/my-app/my-app-windows@1.0 --bundle=report.zip
3) To confirm that the policy configuration change has been successfully applied, check the SAFE report (rl-html) for details about modified network services.
- In the SAFE report, select Services from the left sidebar.
- Search for the service by name or use filters to narrow down the list of displayed services.
- At least one of the items in the list should match the pattern you defined in the policy configuration. Expand the item to view its Service Card and confirm that the version there matches your policy configuration.