Compare package versions
What is a diff?โ
Diff can be defined as a comparison of two versions of the same software that highlights the changes between them.
In terms of the Spectra Assure platform, this comparison is focused on software quality issues, behaviors, file contents, and analysis tags. The diff information provided in the analysis report is useful for recognizing whether your software has been tampered with and how.
Only the SAFE report (rl-html
format) can include the diff information.
In this guide, you will learn how to compare package versions with rl-secure
.
Prerequisitesโ
Diffing (comparison) of two package versions is possible under the following conditions:
Package versions must exist in the package store.
Package versions must be processed with the same configuration and the same
rl-secure
version.
Commands to useโ
scan
โ
To enable diffing (comparison) between package versions, first you need to add the software packages to the package store with the rl-secure scan
command.
To ensure both versions of a software package you want to compare are analyzed with the same rl-secure
version and configuration, use the --sync-with
option when scanning the newer package version.
With this option, specify the package version you intend to diff against.
The option checks if synchronization is required and reanalyzes packages if necessary.
In case the package version you're trying to add is already present in the package store, use the --replace
option to overwrite it.
report
โ
After you've scanned the packages and confirmed that two versions you want to compare are in sync, use the rl-secure report
command on the newer package version with the following options:
- the
--diff-with
option to specify the referential package version (the one you want to compare against) - the
--format
option to specify the analysis report format. This must be set to eitherrl-html
orall
, becauserl-html
is the only report format that can display diff information. It should be used implicitly (by listing one or more formats without specifying the parameter itself) right after thereport
command.
On any mismatch between versions, rl-secure
warns you that reanalysis is required.
If package versions are not reanalyzed, the requested reports will still be generated, but without the diff.
It's possible to compare a package version against multiple other versions.
To do this, run the rl-secure report
command with the --diff-with
option multiple times, each time specifying a different version to diff against.
Every comparison (diff) is saved as an individual report file.
inspect
โ
After you've generated the diff report between versions 1.0.2 and 1.0.1, use the rl-secure inspect
command on the newer package version with the --diff-with
option.
With this option, specify the package version you intend to diff against.
The option displays the differential analysis results in the CLI output.
If any of the previous steps is skipped, this command will result in an error.
How to create a diffโ
Workflow overview:
- Scan a package version (V1)
- Scan another package version (V2)
- Make sure V2 and V1 are scanned with the same configuration
- Generate a SAFE report for V2 that includes the diff against V1
- Display the diff analysis results in the CLI output
1. Scan a package versionโ
In this example, you've previously scanned the 1.0.1 version of an example software package.
You're using the rl-secure scan
command to scan the 1.0.2 version, and you want to inspect how it's different from the 1.0.1 version.
In this case, 1.0.1 is your referential version.
The --sync-with
option ensures that the new package version scan is synchronized with the previous (referential) version.
Since the 1.0.1 version was processed with a different scan configuration, both packages are reanalyzed.
This enables the subsequent command rl-secure report
to create a diff between the two package versions.
The command expects the package store to exist in the current directory.
Use the -s
or --rl-store
options to provide an alternative path to the package store.
If the 1.0.2 version is already in the package store, rl-secure
warns you about the conflict.
In that case, you need to repeat the scan in a subsequent command and specify that you want to overwrite the existing version with --replace
.
- Scan package
- Replace package
Input
rl-secure scan /home/armando/my-package.jar pkg:rl/my-project/my-package@1.0.2 --sync-with=1.0.1
Output
Preparing ...
Copying [=============================================] 100% [00m:00s] 1447178/1447178 bytes
Software my-project/my-package@1.0.1
Scanning [=============================================] 100% [00m:01s] 363/363 files
Merging [=============================================] 100% [00m:01s] 363/363 files
Software my-project/my-package@1.0.2
Scanning [=============================================] 100% [00m:01s] 371/371 files
Merging [=============================================] 100% [00m:01s] 371/371 files
Analysis finished!
Input
rl-secure scan /home/armando/my-package.jar pkg:rl/my-project/my-package@1.0.2 --replace
Output
Preparing ...
Software my-project/my-package@1.0.2
Scanning [=============================================] 100% [00m:05s] 208/208 files
Merging [=============================================] 100% [00m:05s] 208/208 files
Analysis finished!
2. Compare versionsโ
After scanning successfully completes, you can use the rl-secure report
command to generate a diff report between the version 1.0.2 and the version 1.0.1.
More specifically, you're creating the report for the version 1.0.2 and setting 1.0.1 as the referential version by using the --diff-with
option.
Since both versions have been processed with the same rl-secure
version and configuration, the rl-html
report is enriched by diff information on software quality issues, behaviors, file contents and analysis tags.
The command expects the package store to exist in the current directory.
Use the -s
or --rl-store
options to provide an alternative path to the package store.
- Simplified input
- Extended input
- Output
rl-secure report all pkg:rl/my-project/my-package@1.0.2 --diff-with=1.0.1
rl-secure report all --purl=pkg:rl/my-project/my-package@1.0.2 --diff-with=1.0.1 --rl-store=/home/armando/my-repository/
Software my-project/my-package@1.0.2
Snapshot [===========================================] 100% [00m:00s] 2/2 snapshots
Diffing [===========================================] 100% [00m:00s] 856/856 files
Exporting results to: /home/armando/my-repository/.rl-secure/projects/my-project/packages/my-package/versions/1.0.2/reports
CycloneDX JSON ... done
rl-checks report ... done
rl-html diff-report ... done
rl-json report ... done
SARIF JSON ... done
SPDX JSON ... done
Your diff report should now be ready for viewing.
3. Find the diff analysis resultsโ
You can find the diff results in two places:
- in the SAFE report
- in the CLI output
Find diff in the SAFE reportโ
If the previous steps have been successfully completed, you'll find the report with the diff information in the reports/rl-html-diff-with folder of the version for which you generated the report. In this example, it's the version 1.0.2.
In the SAFE report, the differences between the two analyzed packages are shown in the Version diff section accessed from the sidebar on the left-hand side.
The Version diff > Issues page displays all issues that were either resolved or introduced since the last version. You can filter the issues by category and expand every issue to show more details about it, including the files newly impacted by introduced issues.
The Version diff > Files page displays all files that were modified between versions. You can filter the files by name and change type, and expand each file to show additional information, including a detailed list of changes. This makes it easier to pinpoint the exact elements of your software that have been modified.
Once you have the diff report, you can use the information provided there to prevent potentially unsafe software from being released. Additionally, based on this report, you can decide which version of the software you can safely use. All of this in turn contributes to overall security of your system and helps you remediate issues in the newer versions of your software.
Find diff in the CLI outputโ
If you want to get the diff analysis results directly in the terminal, you can use the inspect
command paired with the --diff-with
option.
Setting the 1.0.1 version as the referential version allows you to get a comprehensive list of issues introduced in the newer (1.0.2) version. This CLI output is a more concise and straightforward version of the Diff page in the report.
The command expects the package store to exist in the current directory.
Use the -s
or --rl-store
options to provide an alternative path to the package store.
- Simplified input
- Extended input
- Output
rl-secure inspect pkg:rl/apache/solr@8.11.3 --diff-with=8.10
rl-secure inspect --purl=pkg:rl/apache/solr@8.11.3 --diff-with=8.10 --rl-store=/home/armando/my-repository/
--------------------------------------------------------------------------------
[ SQ34109 ] [ L3:FAIL ] <P0> / [H] Severity [M] Effort / will PASS:L2 / (x2)
Detected presence of embedded private keys.
Violations ---------------------------------------------------------------------
1) unpacked_files/0/solr-8.11.3/dist/solrj-lib/netty-handler-4.1.99.Final.jar/io/netty/handler/ssl/OpenSsl.class
2) unpacked_files/0/solr-8.11.3/server/solr-webapp/webapp/WEB-INF/lib/netty-handler-4.1.99.Final.jar/io/netty/handler/ssl/OpenSsl.class
--------------------------------------------------------------------------------
[ SQ34301 ] [ L3:PASS ] <P4> / [L] Severity [L] Effort / (x1)
Detected presence of placeholder credentials within network
protocol strings.
Suppressed ---------------------------------------------------------------------
Author: Spectra Assure
Date: 2024-01-01T12:00:00+0000 (3 months ago)
Reason: Suppressed common network protocol credentials [automatic]
Violations ---------------------------------------------------------------------
1) unpacked_files/0/solr-8.11.3/CHANGES.txt
--------------------------------------------------------------------------------
[ TH16102 ] [ L3:PASS ] <P4> / [L] Severity [H] Effort / (x2)
Detected presence of files containing bidirectional Unicode control
characters.
Root Cause ---------------------------------------------------------------------
[ BH15228 ] Contains the ZWNJ (zero width non-joiner) Unicode
character.
Violations ---------------------------------------------------------------------
1) unpacked_files/0/solr-8.11.3/contrib/analysis-extras/lib/icu4j-62.1.jar/com/ibm/icu/impl/data/icudt62b/pool.res
2) unpacked_files/0/solr-8.11.3/contrib/extraction/lib/icu4j-62.1.jar/com/ibm/icu/impl/data/icudt62b/pool.res
--------------------------------------------------------------------------------