Skip to main content
API docs by Redocly

ReversingLabs Spectra Assure Community API (2.0)

Download OpenAPI specification:Download

ReversingLabs Support: support@reversinglabs.com URL: https://secure.software/ License: Proprietary

About the API

ReversingLabs Spectra Assure Community is a free-to-use, no-registration-required SaaS platform where software developers, DevOps engineers, and IT security specialists can check the security status of widely distributed developer tools and open source software packages from the most popular communities. The contents of these software package and developer tool repositories are continually analyzed by ReversingLabs with the latest findings immediately available on the Spectra Assure Community website.

With Spectra Assure Community, you can search for software packages across the most popular software repositories (such as npm, NuGet, PyPI, RubyGems) and gain visibility into their integrity and security to ensure that the tools you rely on to build, test, and deploy applications can be trusted.

The Spectra Assure Community API is an extension of the Community platform and a companion solution to the free SaaS tool. It allows you to automate common actions; specifically, searching for packages and retrieving information about individual software packages and their versions.

API versioning

The current Community API version is v2, which is indicated in all request paths.

Servers

Request paths for the Community Free tier use the following server URL:

https://data.reversinglabs.com/api/oss/community/v2/free/

Request paths for the Community Enterprise tier use the following server URL:

https://data.reversinglabs.com/api/oss/community/v2/

All requests must be made over HTTPS. This API does not support HTTP.

Authentication

All endpoints in the Community API support Basic and Bearer authentication.

Community Free tier users should use token-based authentication. Create an Access Token in your Spectra Assure Community account and provide it in the Authorization: Bearer HTTP header of every request.

Community Enterprise tier should authenticate to the API with their user account credentials. Provide the username and the password for your Spectra Assure Community account in the Authorization HTTP header of every request.

Make sure to treat your credentials as confidential. If you suspect any of your passwords or tokens have been compromised, change them in your account settings.

Responses and error handling

Successful requests return 2xx status codes.

Errors are indicated by 4xx and 5xx status codes. In some cases, the JSON response will contain a more informative message about the problem in the error key. Expected responses and status codes are listed for every endpoint in this reference documentation.

The following table provides an overview of all expected error responses and suggested resolution steps.

Status code Description
400 Bad request Usually indicates a syntax error in the request. Confirm that all parts of your request are correctly formatted and make sure you're not using any unsupported characters.
401 Not authorized The service is not able to authenticate you with the information provided in the request. This may be caused by missing, malformed, expired, or revoked credentials. Make sure you're correctly providing the username and password in the Authorization header in your requests.
402 Insufficient remaining capacity Usually indicates a licensing issue. The service is not able to fulfill your request because it would exceed the capacity configured for your account.
403 Forbidden You don't have permission to access the requested resource.
404 Not found The resource you're trying to access doesn't exist. Check if the endpoint is correctly formatted in your request, and make sure all required parameters are present. This response is also returned if an unsupported protocol is used in the request (for example, HTTP instead of HTTPS).
413 Too many packages requested The request body exceeds the limit of items allowed in a single request for your account type.
429 Too many requests The service detected an excessive amount of requests from your account in a short period. Review the tools and applications you use to work with the API to make sure they're not sending redundant requests.
500 Internal server error Usually indicates an issue with the service itself. Try re-sending your request later. If the issue persists, contact ReversingLabs Support.

Search for packages

Search the Spectra Assure Community catalogue for information on one or more software packages specified in the request. The response contains the list of all software packages that match the search criteria.

Enterprise users can search for a maximum of 50 packages per request. Users on the Free plan can search for a maximum of 5 packages per request.

To search for a package, provide either of the following in the request body:

  • the correct purl (package URL) in the format pkg:community/namespace/package@version. The version part of the purl may be omitted. In that case, the API returns information about the latest published version of the software package. It's also possible to search for packages by partial purl with matching patterns and version expressions.

  • the package hash in the SHA1 or SHA256 format. When searching for packages by hash, the results will include packages with that hash as well as those that contain it. Note that hashes of embedded files are tracked only if they are malware artifacts.

For more advanced search queries, the request body supports matching a range of package versions by a glob pattern or a community-specific version expression. It is also possible to search for artifacts by file name or tag, but only in software repositories (communities) that support multiple version artifacts for software packages.

Every request must also contain a unique search identifier string that will be included in the response. The string value is arbitrary.

To make integrations easier, you can use the compact query parameter in the request. This parameter instructs the API to return a simplified response in which all optional fields are automatically omitted.

query Parameters
offset
integer
Default: 0

This optional parameter is used for pagination to specify the starting index when enumerating package versions in the response.

limit
integer [ 1 .. 100 ]
Default: 5

Specify the maximum number of package versions to include in the response.

compact
boolean
Default: false

When this parameter is specified in the request, all optional response fields are automatically removed from the response to reduce its size. Intended for OEM and product integrations.

Request Body schema: application/json
Array
One of
uuid
required
string (uuid)
Example: "12-01"

Unique, user-provided search identifier tied to each search query. The server returns this identifier in the response.

purl
required
string
Example: "pkg:pypi/numpy@1.2.3"

Fully qualified package URL (purl) of the software package to search for, in the format pkg:community/namespace/package@version. If the version part of the purl is omitted, the response contains information about the latest published version. The purl is case-insensitive. For more information on the correct purl syntax, consult the official purl specification.

Responses

Request samples

Content type
application/json
[
  • {
    • "uuid": "12-01",
    • "purl": "pkg:pypi/numpy@1.2.3"
    }
]

Response samples

Content type
application/json
{
  • "community": {
    • "packages": [
      ],
    • "errors": [
      ]
    }
}

Show report for a package version

This endpoint is used to retrieve detailed information about a software package version specified in the request. The response contains the Spectra Assure Community analysis report for the requested package version. Only one package version can be specified per request.

To successfully retrieve the information, you must specify the correct purl (package URL) by using the required path parameters. The version part of the purl may be omitted. In that case, the API returns information about the latest published version of the software package.

Optionally, you can specify the artifact file(s) for which you want to retrieve the information with query parameters artifact and artifact_tag. Note that these parameters work only with software repositories that support multiple version artifacts for software packages.

path Parameters
repository
required
string (communities)
Enum: "gem" "npm" "nuget" "psgallery" "pypi" โ€ฆ 1 more
Example: npm

Open source community identifier of the software repository that hosts the requested software package. Must match one of the software repositories supported by Spectra Assure Community.

namespace
string
Example: @ampproject

Namespace of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

package
required
string
Example: remapping

Name of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

version
string
Example: 2.3.0

Version of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

query Parameters
artifact
string
Example: artifact=mock_numpy-2.2.0-.tar.gz

Qualifier that specifies the artifact file of the requested software package (according to the purl schema pkg:repository/namespace/package@version?artifact=filename.ext). Note that some software repositories (communities) do not support searching for artifacts.

artifact_tag
string
Example: artifact_tag=cp310-cp310-win_amd64

Qualifier that specifies the artifact file of the requested software package by a repository-specific tag (according to the purl schema pkg:repository/namespace/package@version?artifact_tag=example_tag). Note that some software repositories (communities) do not support searching for artifacts.

Responses

Response samples

Content type
application/json
{
  • "community": {
    • "report": {
      }
    }
}

Show details about a package

This endpoint is used to retrieve detailed information about a software package specified in the request. By default, the response includes relevant package metadata and the information about the latest published version of the software package.

To include information about a specific package version in the response, you can use the version path parameter in the request. Multiple package versions can be targeted with optional query parameters match_pattern and match_expression. These parameters are mutually exclusive (cannot be used together in a single request) and incompatible with the version parameter.

To successfully show the software package information, the purl (package URL) must be correctly specified by using the required path parameters.

Optionally, you can specify the artifact file(s) for which you want to retrieve the information with query parameters artifact and artifact_tag. Note that these parameters work only with software repositories that support multiple version artifacts for software packages.

path Parameters
repository
required
string (communities)
Enum: "gem" "npm" "nuget" "psgallery" "pypi" โ€ฆ 1 more
Example: npm

Open source community identifier of the software repository that hosts the requested software package. Must match one of the software repositories supported by Spectra Assure Community.

namespace
string
Example: @ampproject

Namespace of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

package
required
string
Example: remapping

Name of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

version
string
Example: 2.3.0

Version of the requested software package (according to the purl schema pkg:repository/namespace/package@version).

query Parameters
artifact
string
Example: artifact=mock_numpy-2.2.0-.tar.gz

Qualifier that specifies the artifact file of the requested software package (according to the purl schema pkg:repository/namespace/package@version?artifact=filename.ext). Note that some software repositories (communities) do not support searching for artifacts.

artifact_tag
string
Example: artifact_tag=cp310-cp310-win_amd64

Qualifier that specifies the artifact file of the requested software package by a repository-specific tag (according to the purl schema pkg:repository/namespace/package@version?artifact_tag=example_tag). Note that some software repositories (communities) do not support searching for artifacts.

match_pattern
string
Example: match_pattern=1.3.*

Specifies the community-specific version glob pattern. Used for dependency resolution. Should not be used together with version or match_expression.

match_expression
string
Example: match_expression=<= 18.3.0

Specifies the community-specific version expression. Used for dependency resolution. Should not be used together with version or match_pattern.

offset
integer
Default: 0

This optional parameter is used for pagination to specify the starting index when enumerating package versions in the response.

limit
integer [ 1 .. 100 ]
Default: 5

Specify the maximum number of package versions to include in the response.

Responses

Response samples

Content type
application/json
{
  • "community": {
    • "package": {
      }
    }
}