Skip to main content

File Stream

File Stream is the landing page of the Spectra Assure Portal, where you can view and manage all software packages uploaded and analyzed by your groups, as well as access their reports.

Uploaded packages are retained on the File Stream for 90 days, after which they're automatically removed. If you want to preserve these files without reuploading them to Projects and using your analysis capacity, you can move them to a project of your choice.

On this page, you can filter and sort the files you upload, but cannot organize them. To organize different versions of your files by a shared feature of your choice (most commonly by product name), you can use the Projects page.

Depending on your Portal user role, the File Stream page lets you:

Differences between File Stream and Projectsโ€‹

When you start using the Portal, you'll typically work with the File Stream first, and gradually move to the Projects. The following table lists the key differences between these two Portal features to help you understand their advantages and workflows.

FeatureFile StreamProjects
File organization
Work with multiple versions of a software package and group them into projects		โŒโœ”๏ธ
Unlimited file retention
Analyzed files and their reports aren't automatically removed from the Portal		โŒโœ”๏ธ
Version diff
Compare two versions of a software package to view their differences		โŒโœ”๏ธ
View report
Access the SAFE report for a successfully analyzed file		โœ”๏ธโœ”๏ธ
Share report
Send the link to a SAFE report to anyone in or outside your organization		โŒโœ”๏ธ
Export report
Download sections of the SAFE report and the SBOM for a file		โœ”๏ธโœ”๏ธ
Mark file as released
Differentiate released software versions from unreleased ones		โŒโœ”๏ธ
Reanalyze file
Scan a previously analyzed file again to refresh the SAFE report		โœ”๏ธโœ”๏ธ
Delete file
Remove an analyzed file, its metadata and report from the Portal		โœ”๏ธโœ”๏ธ
Approve or reject file
Mark an analyzed file as (un)acceptable for use in your organization		โœ”๏ธโœ”๏ธ
Download file
Download a previously uploaded file from the Portal to your local system		โœ”๏ธโœ”๏ธ
File filtering
Display analyzed files that match specific criteria		โœ”๏ธโŒ
Reproducible builds
Analyze a reproducible build artifact of a software version		โŒโœ”๏ธ

Navigating the File Stream pageโ€‹

All pages on the Portal share a header from which you can switch between various groups you belong to, and the tabs for each Portal page you can alternate between: File Stream, Projects, Members, and Settings (Figure 1, #1).

Figure 1 - Navigating the File Stream page
Figure 1 - Navigating the File Stream page

On the File Stream page, all uploaded software packages are displayed in the Software table containing the following fields (Figure 1, #4):

  • Info - dropdown containing the summarized software quality information for the uploaded software package. This is also where you can access the full report for your package
  • Status - indicates if your software package was uploaded successfully
  • User - indicates the Portal user who uploaded the package
  • File - indicates the full name of the software package, including its file type. The scan duration displayed underneath indicates how long it took to process the software package. Selecting the file name opens the analysis report in a new Portal tab
  • Usage - indicates the total size of the software package and how much of your group capacity was used when the package was uploaded to the Portal
  • Components - indicates the total number of components in the SBOM and how many of them are verified
  • SAFE Assessment/Issues - the only column with an interchangeable heading and related information. When SAFE Assessment is selected, it shows whether any issues with Compliance or Security were found, or if any Threats were detected. When Issues is selected, the column displays the total number of detected issues of high, medium or low severity. This column also shows when the software package will be automatically removed from the File Stream
  • Approval - indicates if the software package was approved or rejected for use in your organization, if its approval was revoked, or if it's still awaiting approval

The uploads in the table can be ordered by the following column header values:

  • filename (File)
  • size (Usage)
  • the number of components (Components)
  • upload date (SAFE Assessment/Issues)

The information in the table can also be filtered based on the following criteria (Figure 1, #2):

  • who uploaded the file (All Uploads, My Uploads) and when the file will be deleted (Deleted in 7 days, Deleted in 30 days, Deleted in 60 days)
  • what its approval status is (All Approval Statuses, Requires Approval, Approved, Approval Rejected, Approval Revoked)

The progress bar on the right above the Software table displays the status of your group capacity (Figure 1, #3), which eliminates the need to check the Analysis Capacity page before or after each new upload.

The Software table header warns you when your group has files that will be removed in 7 days or less.

Upload a package to File Streamโ€‹

To upload your software packages to the File Stream page of the Portal, use the Upload File button above the Software table (Figure 1, #3). This prompts you to choose a file from your computer and afterwards to enter the required information on your software package:

  • Product - indicates the full name of the software package
  • Version - indicates the software package version
  • Publisher - indicates the software publisher
  • Platform - a dropdown from which you can choose the system for which the software has been developed
  • Category - a dropdown from which you can choose the general purpose of the software package
  • License - a dropdown from which you can choose the type of license for the software package. All license types from the SPDX License List are supported

When uploaded, files are automatically analyzed and added to the Software table on the File Stream page.

Manage your packagesโ€‹

After your software package has been analyzed, you can access the Actions menu at the right end of the table row of your package. From the Actions menu, you can do the following:

  1. Move to Project
  2. View Report
  3. Reanalyze
  4. Download File
  5. Delete File
  6. Approve/Reject

The availability of these actions depends on the user role you were assigned.

Move a file to a projectโ€‹

To preserve your files, you can move them from the File Stream to the Projects page. Before moving the file, you have to associate it with a project and a package, so that you can manage it as any other package version.

WARNING

When there's already a maximum number of versions inside a package (12), the oldest package version by upload date will be removed.

To move a package version from the File Stream, select Move to Project from the Actions menu. In the dialog that opens, you have to complete the following four steps:

  1. Select Project, where you can either select an existing project from the dropdown or create a new one if the project you searched for does not yet exist
  2. Select Package, where you can select an existing package from the dropdown. If the package you searched for does not yet exist, you can create a new one
  3. Software Info, where you can edit the same information about your software package that you need to enter when you're uploading it directly to the Projects page. The Is Released checkbox is not marked by default. All fields except for Version are automatically filled. The Derived field takes the last successfully uploaded version as its value. This field is available only when you're moving your file to a package that already contains at least one version.
  4. Overview, where you can once again check all the information on the package version you're moving, including its target location

You can switch back and forth between the steps by selecting them at the top of the dialog. This allows you to change any information on the package version up until you finish the process of moving your file to a desired project.

When all the steps are successfully completed, you can view your file inside the desired project and package on the Projects page. Upon move, this file is automatically reanalyzed without influencing your analysis capacity to ensure it is in sync with other package versions and to create diffs. Note that the file you moved is shown first in the list of package versions because it was uploaded last.

View a reportโ€‹

You can view the SAFE report for a software package in any of the following ways:

  • open the Info dropdown and select View report
  • select View report in the Actions menu at the end of each table row
  • select the filename of the software package

Reanalyze a fileโ€‹

You can reanalyze your software packages at any point in time from the Actions menu. However, the Portal will prompt you to reanalyze the file if your SAFE report is outdated when you attempt to view it. Reports can be outdated for the following reasons:

  • the Portal analysis engine has been updated since you uploaded your package
  • the organization policy profile has changed since you uploaded your package
  • the group policy profile has changed since you uploaded your package
NOTE

Sending a file to reanalysis does not affect the group capacity in any way.

Download a fileโ€‹

To download approved packages in their original file format, select the Download File button in the Actions menu. In the pop-up that opens, you can do the following:

  • click the filename to complete the download action
  • view and copy the SHA256 file hash
  • select Close to cancel the download action

If the analysis capacity is exceeded, if file is not approved, or if you do not have the permission to approve files, selecting the Download File button results in an error. Only users with roles that allow file approval can download any file regardless of its approval status.

Delete a fileโ€‹

You can delete any software package belonging to your groups from the Actions menu. You should take into account that deleting the software package removes all its related metadata. Therefore, if you want to keep the reports of your deleted packages, you need to export them.

NOTE

You can export only the SBOM (in either CycloneDX or SPDX format) and Issues (in SARIF format) from the Report page.

Approve or reject a fileโ€‹

All Portal users can see the file approval status, but only users with the Organization Administrator, Organization Security, and Group Owner roles can approve, reject, or revoke approval for software packages.

By default, all software packages await approval when uploaded to the Portal. If you have the appropriate role and have thoroughly reviewed your software report after a scan, you can assign one of the following approval statuses to your software:

  1. Approved, when no policies have failed during analysis or when some policies did fail but you subsequently either accepted the potential risk or manually suppressed those policies
  2. Approval Rejected, when the software should be restricted from deployment since it poses a considerable risk to your organization even after all possible actions have been taken
  3. Approval Revoked, when:
    • the software has been incorrectly or inadvertently approved,
    • the software can be replaced by an alternate software (e.g. a later version) posing a lower security risk,
    • the policy configuration has been modified, or
    • a new threat impacting components of the software has been identified

From the Actions menu, you can approve only the software tagged as "Requires Approval" or "Approval Rejected". Once you update the approval status for the software, you cannot change it back to "Requires Approval". Any change in approval status requires you to state a valid reason to support your choice.

When you approve software, it can be downloaded by any Portal user and its approval can be revoked at any moment. If you revoked the software approval, Portal users can neither reapprove it nor download it. This kind of software should be removed from the production environment to avoid future use.

You can only reject the software that has not been approved yet. If you already rejected the software but you want to change the rejection reason, you need to reject it again with a new reason.