Spectra Assure Community
Learn more about Spectra Assure Community and use it to check the safety of open source packages in your software.
The majority of modern commercial-off-the-shelf (COTS) software is made up of open source components. As open source packages gain popularity, they become more attractive targets to malicious attackers due to a large number of users and contributions. Despite this, development teams still choose open source packages based on how quickly they can integrate them, rather than prioritizing software security.
Working on a software project with many open source dependencies can make component identification, compliance, and overall software protection significantly challenging. This is why it's important to have tools that can verify package integrity and help you prevent supply chain attacks on your software, infrastructure, and end-users. Spectra Assure Community is exactly the tool for that.
ReversingLabs Spectra Assure Community is a free-to-use, no-registration-required platform where software developers, DevOps engineers, and IT security specialists can check the security status of widely distributed developer tools and software packages from the most popular communities (npm, PyPI, RubyGems, NuGet, and more to come). The contents of these software package repositories are continually analyzed by ReversingLabs with the latest findings immediately available on the Spectra Assure Community website.
Spectra Assure Community is an unparalleled risk assessment catalogue of open source software packages and dependencies. It monitors the largest open source package repositories to identify malware, code tampering, and indicators of software supply chain attacks, and provides comprehensive risk analysis in the form of a report. The research that powers Spectra Assure Community is also reflected in continuous ReversingLabs contributions to the global threat research space and to the OpenSSF Malicious Packages repository - a clear proof of commitment to protecting open source software developers and users.
Benefits of Spectra Assure Communityโ
You should use the Spectra Assure Community for the following reasons:
โญ๏ธ Software provenance - ReversingLabs regularly analyzes not only the latest version of a package, but also older versions. This preserves the entire package history, including those packages that have been removed from their official community repository.
โญ๏ธ Quick search - For every supported community, you can look up software packages directly by name or by hash (SHA1 and SHA256). You can also browse the list of the most popular packages in each community to view their status and the risk analysis report.
โญ๏ธ Comprehensive analysis - Packages are analyzed with the unique unpacking technology and deep static analysis to detect software supply chain risks in final build artifacts published in official community repositories. Analysis results are visualized as the ReversingLabs SAFE report, which includes risk assessment and information on package activity, popularity, and maintainers.
โญ๏ธ Latest research - The Community website lets you browse the list of the packages in each community that have most recently been marked as malicious by ReversingLabs threat researchers. This information makes it easier to stay up-to-date on emerging threats within popular communities.
โญ๏ธ Easily accessible - Spectra Assure Community doesn't require accounts or any special hardware - only your web browser. It helps developers and repository managers ensure the safety of their current and future dependencies, increases build quality and security, saves time, and improves traceability to help engineering teams deliver secure software.
Usage guidelinesโ
While ReversingLabs strives to provide the best user experience, you should be aware of some limitations in the following Spectra Assure Community features:
Searchโ
The search bar expects you to enter the full or partial package name, or the entire hash value (SHA1 or SHA256) you want to look for. Wildcard characters are not supported.
The search results show:
- The exact hash match, if a package with that hash exists on the Spectra Assure Community
- All packages on the Spectra Assure Community in which that hash is embedded
- All packages containing the fully or partially entered string (package name), sorted by popularity
Reportโ
The Spectra Assure Community report on each open source package provides a condensed overview of any potential risks detected during analysis.
Thanks to this format, users of all levels of experience and knowledge can understand which issues are cause for concern. This simplifies comparing multiple versions of the same open source package, and speeds up decisions on whether to use a particular package in a software project.
Among other summary information, the report shows:
- Issue count, descriptions, and which risk category the detected issues belong to
- Behavior description and the category the detected behaviors belong to
- A tag for vulnerabilities that have a fix issued
For more comprehensive reports, consider using the Spectra Assure Portal.
The Portal is a ReversingLabs-hosted SaaS solution for advanced workflows that produces the full SAFE report for every analyzed package, alongside other industry-standard SBOM formats.
Learn moreโ
Browse the documentation on this website. Use the navigation sidebar to discover content by type and topic, or look up specific keywords in the search bar.
Use the Concepts and Reference page to get familiar with the central concepts and features of Spectra Assure products and how they can help you improve your software security, quality, and development processes.
Keep up with all things Spectra Assure on the official ReversingLabs blog.
Access the ReversingLabs Content Library for a wealth of learning resources about our products and technology.