Spectra Assure analysis reports
Every Spectra Assure analysis (software scan) produces a set of reports and the overall CI status (pass or fail) for the analyzed software package.
Reports can be created in multiple different formats, containing different level of detail and scope of information about the analyzed software package. Some report formats are more exclusive than others, containing information that is not available in any other report format.
In addition to custom, proprietary report formats developed by ReversingLabs (marked with rl- in the name), Spectra Assure supports the most popular, industry-standard report formats for software supply chain security management.
Depending on your use-case, you can choose which report formats to export with the Spectra Assure products you're using. Most reports are standalone files that can be imported into various third-party tools and freely shared with other members of your organization or community.
This page lists all analysis report formats supported by the Spectra Assure platform with details on their structure and advice for using them more efficiently.
Supported report formatsβ
The following report formats can be created with all Spectra Assure products.
Selecting the report name in the table takes you to a section of this page with more details about the report format.
| Name | Description | Details | Default file name |
|---|---|---|---|
| cyclonedx | OWASP Software Bill of Materials (SBOM). Specification version: 1.5 | Official specification | report.cyclonedx.json |
| rl-checks | ReversingLabs checks report. This report format is convenient for automated workflows where multiple package version artifacts need to be analyzed and compared. The rl-checks report is similar to rl-json, but instead of showing detailed file metadata, it provides a status summary of all types of checks performed during analysis. This report format cannot be exported for reproducible build artifacts. | Report schema | report.checks.json |
| rl-cve | ReversingLabs CVE report. The report is a CSV file containing all known vulnerabilities found during analysis. This report format is convenient for prioritizing the order of resolving known vulnerabilities. | Report schema | report.cve.csv |
| rl-json | ReversingLabs JSON report. This report format is intended for use in integration workflows. It's also convenient for users who want to parse the report data with their own tools. The JSON report is less detailed than the SAFE report, but it includes the most important information. | Report schema | report.rl.json |
| rl-uri | ReversingLabs URI report. The report is a CSV file providing detailed information on all networking strings found during analysis. | Report schema | report.uri.csv |
| SAFE | ReversingLabs SAFE report. This is the most detailed report format generated by Spectra Assure products. It's the only report format that can contain diff information. The SAFE report is distributed in several different ways. In the Portal UI, the default report produced for every analyzed software package is the SAFE report. It can be downloaded only as the complete RL-SAFE archive (from the Portal UI or from the API). In the CLI, the SAFE report can be exported as a standalone rl-html report or as the complete RL-SAFE archive. | Documentation | sdlc.html (rl-html) report.rl-safe (RL-SAFE archive) |
| sarif | Static Analysis Results Interchange Format (quality issues). Schema version: 2.1.0 | Official specification | report.sarif.json |
| spdx | Software Package Data Exchange (SBOM). Specification version: 2.3 | Official specification | report.spdx.json |
Some report formats are more information-rich than others, and some include only specific details about the analyzed software package.
The following sections provide feature comparison and indicate product support for all report formats. The report formats are grouped into ReversingLabs formats and Industry-standard formats.
ReversingLabs formatsβ
| Product support | rl-checks | rl-cve | rl-json | SAFE | rl-uri |
|---|---|---|---|---|---|
| CLI Can be created with the CLI | βοΈ | βοΈ | βοΈ | βοΈ (rl-html, RL-SAFE) | βοΈ |
| Portal UI export Can be downloaded directly from the Portal interface | β | βοΈ | β | βοΈ (RL-SAFE) | βοΈ |
| Portal API export Can be downloaded with the Portal API | βοΈ | βοΈ | βοΈ | βοΈ (RL-SAFE) | βοΈ |
What do these reports contain?
| Report feature | rl-checks | rl-cve | rl-json | SAFE | rl-uri |
|---|---|---|---|---|---|
| SBOM Contains the Software Bill of Materials | Stats only | β | βοΈ | βοΈ | β |
| Issues Includes detected software quality and security issues | Stats only | β | βοΈ | βοΈ | β |
| Vulnerabilities Includes detected known vulnerabilities | Stats only | βοΈ | βοΈ | βοΈ | β |
| Secrets Includes detected sensitive information | β | β | βοΈ | βοΈ | β |
| Licenses Includes detected software licenses | Stats only | β | βοΈ | βοΈ | β |
| SAFE Assessment Contains the ReversingLabs SAFE assessment | Stats only | β | βοΈ | βοΈ | β |
| Diff Contains comparison results for two software versions | β | β | β | βοΈ | β |
| Reproducibility checks Contains comparison results for main and reproducible build artifacts | βοΈ | β | β | βοΈ | β |
| Behaviors Includes detected software behaviors | β | β | βοΈ | βοΈ | β |
| Networking Includes detected URIs and networking-related strings | β | β | β | βοΈ | βοΈ |
Industry-standard formatsβ
| Product support | CycloneDX | SARIF | SPDX |
|---|---|---|---|
| CLI Can be created with the CLI | βοΈ | βοΈ | βοΈ |
| Portal UI export Can be downloaded directly from the Portal interface | βοΈ | βοΈ | βοΈ |
| Portal API export Can be downloaded with the Portal API | βοΈ | βοΈ | βοΈ |
What do these reports contain?
| Report feature | CycloneDX | SARIF | SPDX |
|---|---|---|---|
| SBOM Contains the Software Bill of Materials | βοΈ | β | βοΈ |
| Issues Includes detected software quality and security issues | β | βοΈ | β |
| Vulnerabilities Includes detected known vulnerabilities | βοΈ | β | β |
| Secrets Includes detected sensitive information | β | β | β |
| Licenses Includes detected software licenses | βοΈ | β | βοΈ |
| SAFE Assessment Contains the ReversingLabs SAFE assessment | β | β | β |
| Diff Contains comparison results for two software versions | β | β | β |
| Reproducibility checks Contains comparison results for main and reproducible build artifacts | β | β | β |
| Behaviors Includes detected software behaviors | β | β | β |
| Networking Includes detected URIs and networking-related strings | β | β | β |
Which report formats to choose?β
When working with Spectra Assure products, you don't necessarily need to use all supported report formats. Depending on your use-case, you might gain the most benefit from using only one or two report formats.
The following brief guidance can help you decide which report format suits your needs the most. You can learn more about each report format and why it's best for a particular use-case further in this text.
| Use case | Report formats |
|---|---|
| CI/CD integrations | rl-checks |
| Custom integrations, SDKs, annotations | rl-json |
| Reproducible builds | rl-checks |
| Diffs (comparing software versions) | SAFE |
| Detecting specific networking strings (URIs) | rl-uri, SAFE |
| Known vulnerability (CVE) management | rl-cve, SAFE |
| Communication with vendors, executives, security specialists | SAFE |
| Visualizing analysis results | SAFE |
| Auditing and procurement | CycloneDX, SPDX, SAFE |
| License management | CycloneDX, SPDX, SAFE |
| Issue management and resolution | SARIF, SAFE |
| Supply chain security and compliance | SAFE |
How to use SBOM reportsβ
CycloneDX and SPDX are SBOM report formats that can be used for a wide range of purposes to help in managing the security, compliance, and operational risks presented by software.
This includes but is not limited to:
Building a software inventory. You can use SBOMs to establish a complete and accurate catalog of the components which make up your software supply chain. This helps you understand your digital dependencies and accelerate response during security incidents, because you can quickly check if the impacted component exists in your software stack.
Fostering transparency. CycloneDX and SPDX are standard data formats that software publishers use to provide visibility into the composition of their products. These reports can be used as portable audit artifacts and serve as a building block for establishing assurance and trust, setting the groundwork for additional security and integrity verification.
Achieving compliance. Many legislative and regulatory requirements now require SBOMs to be distributed alongside software. These reports stored in external GRC (Governance, Risk, and Compliance) solutions to demonstrate control effectiveness in case of an audit or regulatory exam. See our integration with ServiceNow for an example on how to facilitate seamless SBOM storage and management.
CycloneDXβ
CycloneDX is a software bill of materials (SBOM) format used to describe the components, dependencies, and relationships within a software package.
CycloneDX reports can be XML or JSON files, and typically contain details on software components, their licenses, vulnerabilities, and metadata such as version numbers, file hashes, and software supplier details.
CycloneDX is most suitable for supply chain security and vulnerability management in software components - when you need to focus on relationships between software components and dependency tracking. It is useful for auditing software at the package and dependency level.
You can learn more about the structure of CycloneDX files and view realistic report examples in the official CycloneDX GitHub repository.
Work with CycloneDX reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report cyclonedx pkg:rl/my-project/my-package@1.0.1Alternatively, create an RL-SAFE archive with the rl-safe command and export CycloneDX with the SAFE Viewer. |
| Portal | File Stream: Access the report for the analyzed package version and go to the Bill of Materials page. Select Export as CycloneDX at the top of the page. Projects: Access the report for the analyzed package version and select the Export button at the top right of the page to choose the report format. |
| API | Send a GET request to the Export analysis report endpoint. Set cyclonedx as the report_type path parameter in your request.Alternatively, request an RL-SAFE archive from the Export RL-SAFE archive endpoint and export CycloneDX with the SAFE Viewer. |
After retrieving the report, you can:
- Audit the SBOM to verify compliance with open-source licensing policies
- Store the SBOM in an inventory database where all components from imported SBOMs are organized and use it for security reviews
- Import SBOM data to create visual dashboards, reports, and analytics that show vulnerability trends, compliance status, and the overall health of software components
rl-checksβ
The rl-checks report is a proprietary format that provides information on the different types of security checks performed on the software package.
Spectra Assure products perform the following types of checks:
1 - standard analysis
2 - differential analysis between two versions
3 - reproducible build analysis between two artifacts of a version
The rl-checks report is a machine-readable JSON file.
It is typically useful only when a differential analysis and/or reproducible build analysis has been done, or both.
The rl-checks report is best suited for CI/CD integrations, especially if you are using reproducible builds.
You can use it to build logic for your workflows; for example, prevent software deployment based on the final verdict from the report.
It allows you to quickly check the status of your software package and get a summary risk assessment.
rl-checks is also useful when you need to focus on overall statistics/metrics more than on specific details.
You can learn more about the structure of rl-checks reports and view an example in the report schema.
Work with rl-checks reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
The rl-checks report cannot be created for a reproducible build artifact.
In reproducible builds use-cases, it can only be created for the main artifact.
The build=repro parameter should not be used when requesting this report format from Spectra Assure CLI or Portal API.
| CLI | Use the rl-secure report command. Example: rl-secure report rl-checks pkg:rl/my-project/my-package@1.0.1 |
| Portal | This report format cannot be downloaded from the Portal interface. |
| API | Send a GET request to the Export analysis report endpoint. Set rl-checks as the report_type path parameter in your request. |
After retrieving the report, you can:
- Parse the JSON data to quickly understand which checks have passed and which have failed (if any)
- View summary-level results such as vulnerability counts, number of issues in each SAFE category, and pass/fail statuses
rl-cveβ
The rl-cve report is a proprietary format that delivers Common Vulnerabilities and Exposures (CVE) results from Spectra Assure scans.
The rl-cve report is a CSV file that provides users with a comprehensive view of potential security risks across their software supply chain.
More specifically, it contains known vulnerabilities found in your software during analysis.
The vulnerabilities are identified by their CVE number and marketing name (if available).
The report also indicates file paths within the software package where each detected vulnerability has been found.
You can learn more about the structure of rl-cve reports and view an example in the report schema.
Work with rl-cve reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report rl-cve pkg:rl/my-project/my-package@1.0.1Alternatively, create an RL-SAFE archive with the rl-safe command and export rl-cve with the SAFE Viewer. |
| Portal | File Stream: Access the report for the analyzed package version and go to the Vulnerabilities page. Select Export as CSV at the top of the page. Projects: Access the report for the analyzed package version and select the Export button at the top right of the page to choose the report format. |
| API | Send a GET request to the Export analysis report endpoint. Set rl-cve as the report_type path parameter in your request.Alternatively, request an RL-SAFE archive from the Export RL-SAFE archive endpoint and export rl-cve with the SAFE Viewer. |
After retrieving the report, you can:
- Share the CSV file with team members or external stakeholders to streamline communication and make the vulnerability data more accessible
- Store vulnerability information offline, aiding in audit trails and meeting compliance requirements
rl-jsonβ
The rl-json report is a proprietary report format that provides detailed results of a Spectra Assure scan.
It is essentially a machine-readable equivalent of the browser-based, human-readable SAFE report (rl-html).
The rl-json report is most suitable for custom integrations when you want to programmatically extract detailed information about a software package and use it with other tools that accept JSON as input.
It provides nearly the same level of detail as the SAFE report, but it's more compact and easier to annotate if necessary.
You can learn more about the structure of rl-json reports and view an example in the report schema.
Work with rl-json reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report rl-json pkg:rl/my-project/my-package@1.0.1 |
| Portal | This report format cannot be downloaded from the Portal interface. |
| API | Send a GET request to the Export analysis report endpoint. Set rl-json as the report_type path parameter in your request. |
After retrieving the report, you can:
- Parse the JSON data programmatically to create a workflow based on the scan results
- Use it for integration purposes, such as extracting findings of interest to load into other systems
- Display analysis results in a separate tool such as an ASPM solution
rl-uriβ
The rl-uri report is a proprietary report format that serves as a rich source of network intelligence and can be used to enforce preventative security controls.
The report is a CSV file that contains all URIs (networking strings) detected in the software package version during analysis.
It is essentially an equivalent of the Networking page from the SAFE report (rl-html).
Because sensitive URIs are automatically removed from the rl-uri report, the number of rows on the Networking page may not always correspond to the number of rows in the exported CSV file.
You can learn more about the structure of rl-uri reports and view an example in the report schema.
Work with rl-uri reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report rl-uri pkg:rl/my-project/my-package@1.0.1Alternatively, create an RL-SAFE archive with the rl-safe command and export rl-uri with the SAFE Viewer. |
| Portal | File Stream: Access the report for the analyzed package version and go to the Networking page. Select Export as CSV at the top of the page. Projects: Access the report for the analyzed package version and select the Export button at the top right of the page to choose the report format. |
| API | Send a GET request to the Export analysis report endpoint. Set rl-uri as the report_type path parameter in your request.Alternatively, request an RL-SAFE archive from the Export RL-SAFE archive endpoint and export rl-uri with the SAFE Viewer. |
After retrieving the report, you can:
- Share the CSV file with team members and relevant stakeholders
- Use the information from the report to prevent the deployment or update of software which relies on external networking resources explicitly restricted by organizational policy (e.g. TLD hosted within a list of sanctioned countries) or pre-defined network blocklists (e.g. known malicious URIs)
SAFEβ
The ReversingLabs SAFE report is a proprietary report format generated by Spectra Assure products using the advanced, unique ReversingLabs technology to unpack software binaries, extract deep layers of metadata, and detect software supply chain risks.
The report contains the file classification information along with the complete SBOM (Software Bill of Materials), risk assessment information with specific deployment risks categorized by severity and priority, information on digital signatures, file behavior descriptions, extracted URIs, and many more details on the analyzed file.
In the Spectra Assure CLI, the SAFE report is created with the rl-html parameter, so it is sometimes referred to as the rl-html report.
In the Spectra Assure Portal, all analyzed files automatically get the SAFE report - that is the default report displayed in the Portal interface.
SAFE provides the highest level of detail in a graphical, accessible interface. Because it can be directly shared from the Spectra Assure Portal via email, SAFE is best suited for communication with vendors, executives, and security specialists who are interested in the high-level overview of software risk as well as in the specifics. It is also useful in scenarios when analysis results need to be visualized or included in presentations for auditing or procurement purposes.
You can learn more about the structure and contents of SAFE reports in the report documentation.
RL-SAFE archiveβ
RL-SAFE is a portable archive that contains the full SAFE report and all other supported report formats for a software package. In this context, "portable" means that the RL-SAFE archive can be freely shared and moved between different computers and viewed without access to a Spectra Assure Portal instance or CLI installation. The RL-SAFE archive can be password-protected for additional security and control over who can access its contents.
The archive can be downloaded from the Portal Projects and the Portal API, or created with the CLI. It is not supported on the Portal File Stream.
The RL-SAFE archive is most suitable for:
- use-cases that require long-term storage of the SAFE report for auditing and compliance purposes
- viewing SAFE reports for software packages with very large file sizes
- sharing the SAFE report with stakeholders who can't use the report sharing feature on the Portal
When you create or download the RL-SAFE archive for a software package, you need the SAFE Viewer to open the archive and work with the SAFE report. The SAFE Viewer is a cross-platform, free-to-use standalone application developed by ReversingLabs that lets users open RL-SAFE archives and manage SAFE reports anytime, anywhere. From the SAFE Viewer, you can export other report formats that are included in the archive, and access diff and reproducible build reports (if they exist for that software package version).
How the RL-SAFE archive handles report formats
Included, can be exported with SAFE Viewer: CycloneDX,
rl-cve,rl-uri, SARIF, SPDXIncluded, cannot be exported with SAFE Viewer:
rl-checksNot included:
rl-json
Even though the SAFE Viewer processes are sandboxed to minimize damage from potentially malicious code, do not open any RL-SAFE archives from unknown or unreliable sources.
RL-SAFE archives are intended to be opened with the SAFE Viewer. However, it is possible to open them with file archiver utilities like any other compressed file. If you extract the RL-SAFE archive, you will notice that it contains engine and policy configuration files alongside raw report files. The configuration files are included in the archive so that the SAFE Viewer can accurately represent the conditions used to analyze the software package.
The contents of the RL-SAFE archive cannot be modified, and the archive cannot be repackaged. Attempting to do that can make the archive unusable and may result in irreversible data loss.
Work with SAFE reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | For the standalone rl-html report, use the rl-secure report command. Example: rl-secure report rl-html pkg:rl/my-project/my-package@1.0.1 For the complete RL-SAFE archive, use the rl-safe command. |
| Portal | Access the report for the analyzed package version. The whole page with all its sections is the SAFE report. In Portal Projects, you can share the SAFE report with people even if they don't have a Portal account. To download the SAFE report from the Portal for offline use, you need the RL-SAFE archive. It is only supported in Portal Projects. Access the report for the analyzed package version. Select the Export button at the top right of the page and choose RL-SAFE in the menu. |
| API | Send a GET request to the Export RL-SAFE archive endpoint. Access the URL returned in the download_link response field to download the RL-SAFE archive. |
SARIFβ
The SARIF (Static Analysis Results Interchange Format) report is a standard format developed by OASIS (Organization for the Advancement of Structured Information Standards). It contains the results of static analysis tools and makes output from these tools consistent, machine-readable, actionable, and easily shareable. This helps security teams and developers interpret and act upon static analysis findings in a structured way, particularly in the context of application security.
Spectra Assure provides SARIF reports as JSON files. They typically contain details on detected issues, their severity, location in the code, and potential fixes or mitigations. Descriptions of policies and rules that triggered each issue are also included.
This report format is best suited for environments and workflows that rely on the SARIF standard for issue management and resolution.
You can learn more about the structure of SARIF files and view realistic report examples in the official SARIF GitHub repository.
Work with SARIF reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report sarif pkg:rl/my-project/my-package@1.0.1Alternatively, create an RL-SAFE archive with the rl-safe command and export SARIF with the SAFE Viewer. |
| Portal | File Stream: Access the report for the analyzed package version and go to the Issues page. Select Export as Sarif at the top of the page. Projects: Access the report for the analyzed package version and select the Export button at the top right of the page to choose the report format. |
| API | Send a GET request to the Export analysis report endpoint. Set sarif as the report_type path parameter in your request.Alternatively, request an RL-SAFE archive from the Export RL-SAFE archive endpoint and export SARIF with the SAFE Viewer. |
After retrieving the report, you can:
- Import it into compatible tools such as GitHub Advanced Security or Microsoft Visual Studio to give developers a visual interface where they can find and resolve issues more efficiently and address security vulnerabilities early
- Provide it as evidence during compliance audits as proof that the code was tested against specific security or quality policies (such as "OWASP Top 10")
SPDXβ
SPDX (Software Package Data Exchange) is an open standard format used for representing metadata about software components, licenses, and provenance in a machine-readable way. It was developed by the Linux Foundationβs SPDX Workgroup and is widely adopted for sharing information about open-source and third-party components.
Spectra Assure provides SPDX reports as JSON files. They contain details about software packages, their dependencies, licenses, file-level information, copyrights, and other relevant metadata. SPDX reports may also include or link to vulnerability data.
SPDX is best suited for licensing use-cases - when you need to focus on license compliance or when you're working with multiple open source licenses. It is useful for auditing software at the file level.
You can learn more about the structure of SPDX files and view realistic report examples for different use-cases in the official SPDX GitHub repository.
Work with SPDX reportsβ
The instructions in the table expect that you have already analyzed the software package with Spectra Assure, and now you only want to get the specific report format.
| CLI | Use the rl-secure report command. Example: rl-secure report spdx pkg:rl/my-project/my-package@1.0.1Alternatively, create an RL-SAFE archive with the rl-safe command and export SPDX with the SAFE Viewer. |
| Portal | File Stream: Access the report for the analyzed package version and go to the Bill of Materials page. Select Export as SPDX at the top of the page. Projects: Access the report for the analyzed package version and select the Export button at the top right of the page to choose the report format. |
| API | Send a GET request to the Export analysis report endpoint. Set spdx as the report_type path parameter in your request.Alternatively, request an RL-SAFE archive from the Export RL-SAFE archive endpoint and export SPDX with the SAFE Viewer. |
After retrieving the report, you can:
- Use it to verify cryptographic checksums for files to ensure that no tampering has occurred
- Generate legal reports for audits or corporate governance with detailed breakdowns of software components and their associated licenses based on the SPDX file
- Import SPDX files into automated tools that can integrate into CI/CD pipelines and monitor software components throughout development
- Assess the trustworthiness of each supplier or repository from which software components are sourced and identify potential risks to the software supply chain