File Stream
File Stream is the landing page of the Spectra Assure Portal, where you can view and manage all software packages uploaded and analyzed by your groups, as well as access their reports. You can learn more about the contents of the SAFE reports on the Report page.
Uploaded packages are retained on the File Stream for 90 days, after which they're automatically removed. If you want to preserve these files without reuploading them to Projects and using your analysis capacity, you can move them to a project of your choice.
On this page, you can filter and sort the files you upload, but cannot organize them. To organize different versions of your files by a shared feature of your choice (most commonly by product name), you can use the Projects page.
Depending on your Portal user role, the File Stream page lets you:
- manage software packages uploaded by you or the members of your group
- upload new software packages
- view and export reports for all software packages belonging to your group
- download approved files
- approve/reject your software packages
Differences between File Stream and Projectsโ
When you start using the Portal, you'll typically work with the File Stream first, and gradually move to the Projects. The following table lists the key differences between these two Portal features to help you understand their advantages and workflows.
Feature | File Stream | Projects |
---|---|---|
File organization Work with multiple versions of a software package and group them into projects | โ | โ๏ธ |
Unlimited file retention Analyzed files and their reports aren't automatically removed from the Portal | โ | โ๏ธ |
Version diff Compare two versions of a software package to view their differences | โ | โ๏ธ |
View report Access the SAFE report for a successfully analyzed file | โ๏ธ | โ๏ธ |
Share report Send the link to a SAFE report to anyone in or outside your organization | โ | โ๏ธ |
Export report Download sections of the SAFE report and the SBOM for a file | โ๏ธ | โ๏ธ |
Mark file as released Differentiate released software versions from unreleased ones | โ | โ๏ธ |
Reanalyze file Scan a previously analyzed file again to refresh the SAFE report | โ๏ธ | โ๏ธ |
Delete file Remove an analyzed file, its metadata and report from the Portal | โ๏ธ | โ๏ธ |
Approve or reject file Mark an analyzed file as (un)acceptable for use in your organization | โ๏ธ | โ๏ธ |
Download file Download the analyzed software binary from the Portal to your local system | โ๏ธ | โ๏ธ |
File filtering Display analyzed files that match specific criteria | โ๏ธ | โ |
Reproducible builds Analyze a reproducible build artifact of a software version | โ | โ๏ธ |
Get RL-SAFE archive Download the complete SAFE report for a software version | โ | โ๏ธ |
Navigating the File Stream pageโ
All pages on the Portal share a header from which you can switch between various groups you belong to, and the tabs for each Portal page you can alternate between: File Stream, Projects, Members, and Settings (Figure 1, #1).
On the File Stream page, all uploaded software packages are displayed in the Software table containing the following fields (Figure 1, #4):
- Info - dropdown containing the summarized software quality information for the uploaded software package. This is also where you can access the full report for your package
- Status - indicates if your software package was uploaded successfully
- User - indicates the Portal user who uploaded the package
- File - indicates the full name of the software package, including its file type. The scan duration displayed underneath indicates how long it took to process the software package. Selecting the file name opens the analysis report in a new Portal tab
- Usage - indicates the total size of the software package and how much of your group capacity was used when the package was uploaded to the Portal
- Components - indicates the total number of components in the SBOM and how many of them are verified
- SAFE Assessment/Issues - the only column with an interchangeable heading and related information. When SAFE Assessment is selected, it shows whether any issues with Compliance or Security were found, or if any Threats were detected. When Issues is selected, the column displays the total number of detected issues of high, medium or low severity. This column also shows when the software package will be automatically removed from the File Stream
- Approval - indicates if the software package was approved or rejected for use in your organization, if its approval was revoked, or if it's still awaiting approval
The uploads in the table can be ordered by the following column header values:
- filename (File)
- size (Usage)
- the number of components (Components)
- upload date (SAFE Assessment/Issues)
The information in the table can also be filtered based on the following criteria (Figure 1, #2):
- who uploaded the file (All Uploads, My Uploads) and when the file will be deleted (Deleted in 7 days, Deleted in 30 days, Deleted in 60 days)
- what its approval status is (All Approval Statuses, Requires Approval, Approved, Approval Rejected, Approval Revoked)
The progress bar on the right above the Software table displays the status of your group capacity (Figure 1, #3), which eliminates the need to check the Analysis Capacity page before or after each new upload.
The Software table header warns you when your group has files that will be removed in 7 days or less.
Upload a package to File Streamโ
To upload your software packages to the File Stream page of the Portal, use the Upload File
button above the Software table (Figure 1, #3).
This prompts you to choose a file from your computer and afterwards to enter the required information on your software package:
- Product - indicates the full name of the software package
- Version - indicates the software package version
- Publisher - indicates the software publisher
- Platform - a dropdown from which you can choose the system for which the software has been developed
- Category - a dropdown from which you can choose the general purpose of the software package
- License - a dropdown from which you can choose the type of license for the software package. All license types from the SPDX License List are supported
When uploaded, files are automatically analyzed and added to the Software table on the File Stream page.
Manage your packagesโ
After your software package has been analyzed, you can access the Actions menu at the right end of the table row of your package. From the Actions menu, you can do the following:
The availability of these actions depends on the user role you were assigned.
Move a file to a projectโ
To preserve your files, you can move them from the File Stream to the Projects page. Before moving the file, you have to associate it with a project and a package, so that you can manage it as any other package version.
When there's already a maximum number of versions inside a package (12), the oldest package version by upload date will be removed.
To move a package version from the File Stream, select Move to Project
from the Actions menu.
In the dialog that opens, you have to complete the following four steps:
- Select Project, where you can either select an existing project from the dropdown or create a new one if the project you searched for does not yet exist
- Select Package, where you can select an existing package from the dropdown. If the package you searched for does not yet exist, you can create a new one
- Software Info, where you can edit the same information about your software package that you need to enter when you're uploading it directly to the Projects page. The Is Released checkbox is not marked by default. All fields except for Version are automatically filled. The Derived field takes the last successfully uploaded version as its value. This field is available only when you're moving your file to a package that already contains at least one version.
- Overview, where you can once again check all the information on the package version you're moving, including its target location
You can switch back and forth between the steps by selecting them at the top of the dialog. This allows you to change any information on the package version up until you finish the process of moving your file to a desired project.
When all the steps are successfully completed, you can view your file inside the desired project and package on the Projects page. Upon move, this file is automatically reanalyzed without influencing your analysis capacity to ensure it is in sync with other package versions and to create diffs. Note that the file you moved is shown first in the list of package versions because it was uploaded last.
View a reportโ
You can view the SAFE report for a software package in any of the following ways:
- open the
Info
dropdown and selectView report
- select
View report
in the Actions menu at the end of each table row - select the filename of the software package
For a detailed overview of the SAFE report contents, refer to the Report page.
Reanalyze a fileโ
You can reanalyze your software packages at any point in time from the Actions menu. However, the Portal will prompt you to reanalyze the file if your SAFE report is outdated when you attempt to view it. Reports can be outdated for the following reasons:
- the Portal analysis engine has been updated since you uploaded your package
- the organization policy profile has changed since you uploaded your package
- the group policy profile has changed since you uploaded your package
Sending a file to reanalysis does not affect the group capacity in any way.
Download a fileโ
To download approved packages in their original file format, select the Download File
button in the Actions menu.
In the pop-up that opens, you can do the following:
- click the filename to complete the download action
- view and copy the SHA256 file hash
- select
Close
to cancel the download action
If the analysis capacity is exceeded, if file is not approved, or if you do not have the permission to approve files, selecting the Download File
button results in an error.
Only users with roles that allow file approval can download any file regardless of its approval status.
Delete a fileโ
You can delete any software package belonging to your groups from the Actions menu. You should take into account that deleting the software package removes all its related metadata. Therefore, if you want to keep the reports of your deleted packages, you need to export them.
From the Report page, you can export the following:
- SBOM, in either the
CycloneDX
orSPDX
format - Issues, in the
SARIF
format - Vulnerabilities, in the
RL-CVE
format - Networking, in the
RL-URI
format
Approve or reject a fileโ
All Portal users can see the file approval status, but only users with the Organization Administrator, Organization Security, and Group Owner roles can approve, reject, or revoke approval for software packages.
By default, all software packages await approval when uploaded to the Portal. If you have the appropriate role and have thoroughly reviewed your software report after a scan, you can assign one of the following approval statuses to your software:
- Approved, when no policies have failed during analysis or when some policies did fail but you subsequently either accepted the potential risk or manually suppressed those policies
- Approval Rejected, when the software should be restricted from deployment since it poses a considerable risk to your organization even after all possible actions have been taken
- Approval Revoked, when:
- the software has been incorrectly or inadvertently approved,
- the software can be replaced by an alternate software (e.g. a later version) posing a lower security risk,
- the policy configuration has been modified, or
- a new threat impacting components of the software has been identified
From the Actions menu, you can approve only the software tagged as "Requires Approval" or "Approval Rejected". Once you update the approval status for the software, you cannot change it back to "Requires Approval". Any change in approval status requires you to state a valid reason to support your choice.
When you approve software, it can be downloaded by any Portal user and its approval can be revoked at any moment. If you revoked the software approval, Portal users can neither reapprove it nor download it. This kind of software should be removed from the production environment to avoid future use.
You can only reject the software that has not been approved yet. If you already rejected the software but you want to change the rejection reason, you need to reject it again with a new reason.