Skip to main content

Schema for the rl-json report format

The Spectra Assure platform supports a special format for analysis reports called rl-json. This format is intended for use in integration workflows and with various tools that can parse and transform JSON data.

To generate reports in the rl-json format:

This page describes the full schema of the rl-json report format.

How to read the schema?โ€‹

The schema contents are displayed as an expandable schema model and described in alphabetical order. Expandable items have an arrow indicator next to their name. Select the arrow to expand the item and view its contents.

The full rl-json report example is displayed below the schema. You can copy the whole example by selecting "Copy" in the code block.

Desktop browsers: To make the schema easier to read, you can hide the navigation sidebar by selecting the << button at the bottom left of the page.

rl-json report schemaโ€‹

duration
required
string

Indicates how long it took to complete the analysis.

schema
required
number
Default: 3

Version of this report schema. Version number is incremented to indicate a break of backwards compatibility.

timestamp
required
string <date-time>

Indicates when the software package was last analyzed in ISO-8601 time format.

version
required
string

Version of the analysis engine that was used to scan the software package.

catalogue
required
integer
Default: 3

Version of the rl-secure policy catalogue. The version should match the value specified in the catalogue.json file available in the public metadata repository.

required
object

Summary of the ReversingLabs Spectra Assure analysis report.

{
  • "duration": "00:00:02.334",
  • "schema": 3,
  • "timestamp": "2025-03-11T14:27:04+01:00",
  • "version": "5.3.0.112",
  • "catalogue": 3,
  • "report": {
    }
}

rl-json report exampleโ€‹

This example is for illustrative purposes only. It is used to visualize the report structure and does not represent any specific software package.

rl-json report example
{
"duration": "00:00:02.334",
"schema": 3,
"timestamp": "2025-03-11T14:27:04+01:00",
"version": "5.3.0.112",
"catalogue": 3,
"report": {
"info": {
"detections": {
"Goodware": {
"No Threats Detected": 363
},
"Malicious": {
"Downloader": 5,
"Trojan": 2
},
"Suspicious": {
"Malware": 7
},
"Unknown": {
"No Threats Detected": 1098
}
},
"disabled": [
"SQ14120",
"SQ14126",
"SQ14129",
"SQ14130"
],
"file": {
"format": "GZIP",
"hashes": [
[
"md5",
"ff0fd1e7a5df8a22d0c921ebe7b1b793"
],
[
"sha1",
"d63932d669fe6da664b4183d8e1d5a33a9492b9f"
],
[
"sha256",
"4430b43199a020b9a1f3bcfa9c55fcc207aea79ec4731def885e89980b8fe880"
]
],
"name": "app-x64.msi",
"path": "",
"size": 210812,
"subtype": "Archive",
"type": "Binary",
"version": "Generic",
"sbom": false,
"classification": {
"result": "",
"status": "Malicious"
},
"identity": {
"authors": [],
"community": "general",
"cpe": "",
"edit": null,
"homepage": "https://example.com",
"license": "Copyleft (LGPL)",
"original": [],
"product": "Simple App Installer",
"publisher": "Example Corp",
"purl": "",
"repository": "https://github.com/example-corp/simpleinstaller",
"scenario": null,
"verified": true,
"version": "1.2",
"classification": {
"result": "",
"status": "Malicious"
},
"dependencies": [
"5d0e7ec6-9300-47a3-8680-b248ac356b48",
"5eac12cc-c55b-4661-900d-9f232fbcc11a",
"682d537a-23f9-4084-bcaa-7959fb8faec0",
"916c31a3-3334-4c4f-9733-9761459e1be9"
],
"vulnerabilities": {
"active": [
"CVE-2012-2333"
],
"triaged": [
"CVE-2016-8610"
]
}
},
"properties": [],
"quality": {
"effort": "high",
"priority": 2,
"severity": "high",
"status": "fail"
}
},
"inhibitors": {
"customized": false,
"exclusions": {
"SQ31102": 4
},
"next_level": 5,
"scan_level": 3
},
"properties": [],
"statistics": {
"bad_checksum": 0,
"bad_format": 0,
"bad_password": 0,
"components": 9,
"extracted": 363,
"licenses": {
"copyleft": 4,
"freemium": 0,
"freeware": 1,
"non-commercial": 0,
"permissive": 7,
"proprietary": 1,
"public_domain": 1,
"shareware": 0,
"undeclared": 0,
"weak_copyleft": 3
},
"quality": {
"issues": {
"pass": 34,
"warning": 0,
"fail": 5,
"high": 8,
"medium": 3,
"low": 0,
"total": 11
},
"metrics": {
"pass": 34,
"warning": 0,
"fail": 5,
"high": 8,
"medium": 3,
"low": 0,
"total": 11
},
"priority": 0,
"status": "fail"
},
"unsupported": 0,
"vulnerabilities": {
"critical": 0,
"exploit": 2,
"fixable": 4,
"high": 4,
"low": 0,
"malware": 0,
"mandate": 0,
"medium": 0,
"named": 0,
"total": 7,
"triaged": 3
}
},
"unpacking": {
"errors": {
"components/many_credentials.txt/unpacked_files/0": [
"Corrupted or invalid certificate data: invalid certificate footer"
]
},
"warnings": {}
},
"warnings": []
},
"metadata": {
"assessments": {
"licenses": {
"count": 2,
"label": "patent license considerations",
"priority": 0,
"status": "fail",
"violations": [
"SQ12408"
],
"final": false,
"evaluations": [
{
"count": 1,
"label": "software distribution restrictions",
"priority": 2,
"status": "warning",
"violations": [
"SQ12405"
]
}
]
},
"malware": {
"count": 6,
"label": "supply chain attack artifacts",
"priority": 0,
"status": "fail",
"violations": [
"SQ30105"
],
"final": true,
"evaluations": [
{
"count": 6,
"label": "analyst-vetted malware found",
"priority": 0,
"status": "fail",
"violations": [
"SQ30109"
]
},
{
"count": 3,
"label": "malicious components found",
"priority": 0,
"status": "fail",
"violations": [
"SQ30107"
]
}
]
},
"hardening": {
"count": 1,
"label": "baseline mitigations missing",
"priority": 1,
"status": "warning",
"violations": [
"SQ14102"
],
"final": false,
"evaluations": [
{
"count": 1,
"label": "modern mitigations missing",
"priority": 3,
"status": "warning",
"violations": [
"SQ14122"
]
}
]
},
"secrets": {
"count": 2,
"label": "active web service credentials",
"priority": 0,
"status": "fail",
"violations": [
"SQ34401",
"SQ34403"
],
"final": false,
"evaluations": [
{
"count": 10,
"label": "plaintext private keys found",
"priority": 0,
"status": "fail",
"violations": [
"SQ34108",
"SQ34109"
]
}
]
},
"tampering": {
"count": 1,
"label": "malware-like behaviors found",
"priority": 0,
"status": "fail",
"violations": [
"TH15104"
],
"final": false,
"evaluations": [
{
"count": 2,
"label": "malicious network references",
"priority": 0,
"status": "fail",
"violations": [
"TH17117"
]
}
]
},
"vulnerabilities": {
"count": 5,
"label": "patch mandated vulnerabilities",
"priority": 0,
"status": "fail",
"violations": [
"SQ31101"
],
"final": false,
"evaluations": [
{
"count": 11,
"label": "critical severity vulnerabilities",
"priority": 0,
"status": "fail",
"violations": [
"SQ31104"
]
}
]
}
},
"components": {
"00897fdd-15b7-55fe-add8-193de742f42a": {
"format": "GZIP",
"hashes": [
[
"md5",
"ff0fd1e7a5df8a22d0c921ebe7b1b793"
],
[
"sha1",
"d63932d669fe6da664b4183d8e1d5a33a9492b9f"
],
[
"sha256",
"4430b43199a020b9a1f3bcfa9c55fcc207aea79ec4731def885e89980b8fe880"
]
],
"name": "library.js",
"path": "unpacked_files/0/package/js/src/library.js",
"size": 210812,
"subtype": "JavaScript",
"type": "Text",
"version": "Generic",
"sbom": false,
"classification": {
"result": "",
"status": "Malicious"
},
"identity": {
"authors": [],
"community": "general",
"cpe": "",
"edit": null,
"homepage": "",
"license": "Copyleft (LGPL)",
"original": [],
"product": "SimpleComponent",
"publisher": "",
"purl": "",
"repository": "",
"scenario": null,
"verified": true,
"version": "15.14",
"classification": {
"result": "",
"status": "Malicious"
},
"dependencies": [
"5d0e7ec6-9300-47a3-8680-b248ac356b48",
"5eac12cc-c55b-4661-900d-9f232fbcc11a",
"682d537a-23f9-4084-bcaa-7959fb8faec0",
"916c31a3-3334-4c4f-9733-9761459e1be9"
],
"vulnerabilities": {
"active": [
"CVE-2012-2333"
],
"triaged": [
"CVE-2016-8610"
]
}
},
"properties": [],
"quality": {
"effort": "high",
"priority": 2,
"severity": "high",
"status": "pass"
}
}
},
"cryptography": {
"algorithms": {
"379a49d2-efb4-4b4b-b33c-78f28c7acad4": {
"functions": [
"digest"
],
"mode": "unknown",
"pqc_level": 0,
"primitive": "hash",
"properties": [],
"size": 160,
"type": "sha1",
"sources": [
"pattern"
],
"violations": [],
"references": {
"component": [
"63dd38c6-2ff5-544f-98f7-d27d11164247"
]
}
}
},
"certificates": {
"03bbe63e4b207588fe5a49ce2": {
"algorithm": "sha1WithRSAEncryption",
"extensions": [
{
"is_critical": false,
"name": "X509v3 Basic Constraints",
"value": "CA:FALSE"
}
],
"issuer": [
[
"countryName",
"US"
],
[
"organizationName",
"VeriSign, Inc."
]
],
"references": {
"component": [
"63dd38c6-2ff5-544f-98f7-d27d11164247"
]
},
"serial_number": "6f0af7a3213cca",
"size": 0,
"subject": [
[
"countryName",
"US"
],
[
"organizationName",
"Adobe Systems Incorporated"
]

],
"thumbprint": "03bbe63e46bbbbb",
"type": "X.509",
"valid_from": "2005-12-10T00:00:00Z",
"valid_to": "2006-12-10T23:59:59Z",
"violations": [
"SQ20118",
"SQ20119",
"SQ20121"
]
}
},
"materials": {
"7587a780-5e59-449d-a200-0abd143f9b38": {
"creation": "",
"expiration": "",
"format": "PEM",
"properties": [
[
"bits",
"2048"
],
[
"defaultDigest",
"SHA256"
],
"references": {
"component": [
"4842f1bc-da0e-569e-9a38-c692a3b67c79"
]
},
"size": 2048,
"type": "private-key",
"violations": []
},
"protocols": null
},
"dependencies": {
"0a7097a8-445d-4f65-a8f7-d4b45e6d4d5d": {
"authors": [],
"community": "general",
"cpe": "",
"edit": null,
"homepage": "",
"license": "Proprietary (LicenseRef-rlsecure-microsoft-software-license-terms)",
"original": [],
"product": "api-ms-win-crt-stdio-l1-1-0",
"publisher": "Microsoft Corporation",
"purl": "",
"repository": "",
"scenario": "release",
"verified": false,
"version": "Generic",
"vulnerabilities": {
"triaged": [
"CVE-2016-8610"
]
},
"classification": {
"result": "",
"status": "Unknown"
}
}
},
"indicators": {
"078bac4c-f047-4a60-a140-91c48782379c": {
"category": "anomaly",
"description": "Might contain potentially obfuscated code or data.",
"exclusions": 0,
"occurrences": 14,
"priority": 7,
"references": [
"6fe23bd5-0bb5-55de-9465-7dc5a9dfdc3c",
"8cbe04f2-dffe-5fed-bced-8a0df480b28c"
],
"rule_id": "BH15332",
"violations": 0
}
},
"licenses": {
"MIT": {
"audit": {
"author": "Spectra Assure",
"timestamp": "2021-12-01T03:56:12+0000",
"reason": "Relaxed policy level rules"
},
"family": "Permissive",
"violations": []
}
},
"ml_models": null,
"secrets": {
"component-id": {
"evidence": [
{
"audit": {
"author": "Spectra Assure",
"timestamp": "2021-12-01T03:56:12+0000",
"reason": "Relaxed policy level rules"
},
"canary": false,
"endpoints": [
{
"error": "SSL certificate problem: unable to get local issuer certificate",
"label": "Prefect Cloud",
"liveness": "site-error",
"location": "https://api.prefect.cloud/api"
}
],
"file_offset": 229784,
"line_number": 3540,
"liveness": "site-error",
"references": {
"component": [
"26ecb345-6837-4bdd-8e92-bfcc55b4b847",
"2e282316-1f8f-4b50-b33f-f8a8fbad0c22",
"936e0821-92c4-4f30-936d-2027e20c5fa0"
]
},
"rule_id": "SQ34305",
"secret": "rl-sha256:77d4c3abf932e92f12abb554"
}
],
"exposed": true,
"service": "Prefect v2 API Key",
"timestamp": "2022-07-28T14:29:36"
}
},
"services": {
"a9981780-c689-408f-8cde-ab3743cdd81e": {
"auth": true,
"endpoints": [
{
"classification": {
"result": "",
"status": "Unknown"
},
"value": "api.telegram.org"
}
],
"flow": "bidirectional",
"name": "Telegram Messenger API",
"provider": "Telegram Messenger",
"references": {
"component": [
"0db70edc-2f2b-5004-863c-4f90a1cbcf01"
]
},
"type": "chat-exchange",
"version": "Generic",
"violations": []
},
"violations": {
"052ccedb-9958-441a-af26-35dedad19eac": {
"audit": {
"author": "Spectra Assure",
"timestamp": "2021-12-01T03:56:12+0000",
"reason": "Relaxed policy level rules"
},
"category": "secrets",
"description": "Detected presence of private keys.",
"effort": "medium",
"enabled": true,
"priority": 0,
"references": {
"component": [
"0564f115-be31-4b10-a042-148669575d3c",
"1c5edd26-eeb3-47ee-ba23-e247fb393127",
"30cef51f-2ddc-40bf-8749-db17ca178e08",
"3e116fd6-c347-4b62-b731-1a15b80cb969"
]
},
"rule_id": "SQ34108",
"severity": "high",
"statistics": {
"applicable": 9,
"enforcements": 9,
"exclusions": 0,
"violations": 9
},
"status": "fail"
}
},
"vulnerabilities": {
"CVE-2016-4285": {
"cvss": {
"baseScore": "8.8",
"metrics": [
[
"Attack Vector",
"Network"
],
[
"Attack Complexity",
"Low"
]
],
"version": 3
},
"exploit": [
"EXISTS",
"FIXABLE",
"MALWARE"
],
"name": "",
"sources": [
"NVD"
],
"violations": [
"SQ31102",
"SQ31103",
"SQ31105"
],
"audit": {
"author": "Spectra Assure",
"timestamp": "2021-12-01T03:56:12+0000",
"reason": "Relaxed policy level rules"
}
}
}
}
}
}