Skip to main content

Scan password-protected archives

Software packages distributed as password-protected archives can be scanned with the rl-scanner Docker image, but their contents cannot be decrypted and extracted without a password. Consequently, analysis reports for such software packages will be incomplete and may not accurately represent the risk profile of the analyzed software.

To decrypt password-protected archives and get complete analysis reports, you need to provide their passwords when scanning them.

File format support

Decrypting password-protected archives is supported for a limited set of file formats. The list of supported formats in the Spectra Assure documentation indicates them with a checkmark in the "Password Support" column.

You can provide the passwords for password-protected files in any of the following formats.

Password formatParameterEnvironment variable
Plain-text single password--passwordRLSECURE_PACKAGE_PASSWORD
Password list file--password-listRLSECURE_PACKAGE_PASSWORD_LIST
Base64-encoded password list--encoded-password-listRLSECURE_PACKAGE_ENCODED_LIST

If needed, you can combine the parameters to provide passwords in multiple different ways simultaneously (for example, use --password and -password-list in the same Docker command).

It is also possible to use a parameter multiple times in the same Docker command (for example, use --password twice to specify two different password values).

Plain text single passwordโ€‹

To specify a single literal password string, you can use the --password parameter or the RLSECURE_PACKAGE_PASSWORD environment variable.

If you want to specify multiple passwords, use the --password parameter multiple times in your command, or put your passwords into a password list file.

The following command will scan a password-protected file and use the single password provided with the --password parameter to decrypt its contents.

Pull the image from Docker Hub
docker pull reversinglabs/rl-scanner:latest
Scan a password-protected file with plain text password
docker run --rm \
  -u $(id -u):$(id -g) \
  -v "$(pwd)/packages:/packages:ro" \
  -v "$(pwd)/report:/report" \
  -e RLSECURE_ENCODED_LICENSE=<base64 encoded license file> \
  -e RLSECURE_SITE_KEY=<site key> \
  reversinglabs/rl-scanner \
  rl-scan \
    --package-path=/packages/deployment_pkg.tgz \
    --report-path=/report \
    --report-format=rl-html \
    --password=ExamplePassword123

Password list fileโ€‹

To avoid exposing your passwords directly in the Docker command, you can create a password list file. This is also practical when you want to use multiple passwords, as you don't need to provide them one by one.

The password list file must be a plain text file containing one password per line. The file name is arbitrary, but you need to make sure the password list file is saved to a location that the Docker container can access.

Then you can use the --password-list argument or the RLSECURE_PACKAGE_PASSWORD_LIST environment variable to specify the path to the previously created password list file.

The following command will scan a password-protected file and use the password.list file provided with the --password-list parameter as the source for passwords. Passwords inside it will be used to decrypt the password-protected file during the scan process.

Pull the image from Docker Hub
docker pull reversinglabs/rl-scanner:latest
Scan a password-protected file with a password list
docker run --rm \
  -u $(id -u):$(id -g) \
  -v "$(pwd)/packages:/packages:ro" \
  -v "$(pwd)/report:/report" \
  -v "$(pwd)/password.list:/password.list:ro" \
  -e RLSECURE_ENCODED_LICENSE=<base64 encoded license file> \
  -e RLSECURE_SITE_KEY=<site key> \
  reversinglabs/rl-scanner \
  rl-scan \
    --package-path=/packages/deployment_pkg.tgz \
    --report-path=/report \
    --report-format=rl-html \
    --password-list=/password.list

Base64-encoded password listโ€‹

If you do not want to disclose the path to your password list file, you can encode its contents with the Base64 algorithm. This is also practical when mounting the location of the password list file to the container is not possible or not allowed.

After encoding the password list file contents, you can provide the resulting string with the --encoded-password-list parameter or the RLSECURE_PACKAGE_ENCODED_LIST environment variable.

The following command will scan a password-protected file and use the Base64-encoded string provided with the --encoded-password-list parameter to decrypt it.

Pull the image from Docker Hub
docker pull reversinglabs/rl-scanner:latest
Scan a password-protected file with a Base64-encoded password list
docker run --rm \
  -u $(id -u):$(id -g) \
  -v "$(pwd)/packages:/packages:ro" \
  -v "$(pwd)/report:/report" \
  -v "$(pwd)/password.list:/password.list:ro" \
  -e RLSECURE_ENCODED_LICENSE=<base64 encoded license file> \
  -e RLSECURE_SITE_KEY=<site key> \
  reversinglabs/rl-scanner \
  rl-scan \
    --package-path=/packages/deployment_pkg.tgz \
    --report-path=/report \
    --report-format=rl-html \
    --encoded-password-list=c2VjcmV0MQpzZWNyZXQyCg==
Saving passwords

Advanced workflows that require re-scanning the same package version can benefit from the ability to save passwords permanently, instead of having to provide the password for every scan.

This is possible when you use a package store with the rl-scanner Docker image. You can set up a password vault for the package store and save all passwords to the vault.