Skip to main content

Insights

Insights provide a high-level overview of issues present in the Projects of your group. This helps you promptly recognize the most prevalent problems in your codebase and prioritize your work to address the most critical gaps.

This feature is available to all users in a Portal instance, regardless of their user role. However, CISO and similar high-level profiles, as well as specialists will find most value in the information provided on the Insights page since it offers:

  • Clear visibility into issues, allowing you to understand which issues are present in your Portal instance
  • Increased flexibility, allowing you to adapt the search to your needs. In other words, you can promptly search across different types of issues and focus on specific projects and packages, or even versions
  • Efficient, targeted filtering, allowing you to quickly identify issues that need to be triaged
  • Centralized information, giving you all the relevant details in one place to efficiently triage the detected issues

Navigating the Insights pageโ€‹

All pages on the Portal share a header from which you can switch between various groups you belong to, and the tabs for each Portal page you can alternate between: File Stream, Projects, Insights, and Policies.

The Insights page is divided into two main parts:

The sidebar is always present on the Insights page. It is found on the left-hand side of the page and is used for going through different searches.

From the sidebar, you can also start a new search, as well as edit and access your saved searches from every group you're a part of, and access the pre-determined quick searches. This is possible even when switching between the groups.

If no custom saved searches exist, the landing page of Insights is the page for the first search in the list (the Analyst vetted malware under Malware quick search category).

Every time you use searches, you get a list of issues matching the selected search filters. These search results also called insights.

What are searches?โ€‹

Searches are a collection of filters targeting your current group on the Portal instance.

Searches can be either user-specific (My searches) or default (Quick searches). User-specific searches can be used only in a specific group or in any of your groups on the Portal instance.

The scope of user-specific searches is determined by the selected filters. Users can select any combination of filters in the following categories:

  • Group - Project Name, Project Version
  • Version - Version Platform, Version Category, Version Released, Version Status, Version Approval, Latest Released, Reproducibility, Release Date
  • Component - Component Name, Component PURL, Component Path, Component Publisher, Component License, Component Tags
  • Report - SAFE Assessment, SAFE Level Blockers
  • Issues - Issue Category, Issue Status, Issue Priority, Issue Identifier
  • Vulnerabilities - CVE Identifier, Vulnerability Name, Vulnerability Severity, Vulnerability Tags, CWE Identifier
  • Malware - Malware Verdict, Malware Platform, Malware Type, Malware Family
  • Secrets - Secret Identifier, Secret Endpoint, Secret Liveness
  • Licenses - License SPDX ID, License Family

Search is tied to a specific group if any of the filters from Group category have been selected. Filters from other categories are used to search for general issues and can be used in any of your groups on the Portal instance.

Depending on the filter, the following Operators are available:

  • is
  • is not
  • is any
  • is not any
  • all of
  • before and after (in terms of date)

Search results are called insights. They are automatically refreshed every time a filter is added or removed, or when any changes are made to the package reports. This also means that once a project, package, or version is deleted, issues related to it are removed from the Insights page.

My searchesโ€‹

User-specific searches (or "My searches") can find results in:

  • current group, when the search filters target a specific package or project that belongs to a certain group
  • any group, if the search filters target general issues, components, and version properties that can belong to any package uploaded to any of your groups on the Portal instance

They are tied to users and not groups. This means that only the user who created and saved the search can see it, use it, and edit it whenever they want.

These searches can be shared with other users on the Portal instance by copying the search link from the Actions menu in the sidebar. To use the search, the user receiving the link needs to first save the search to their profile.

All saved searches will be present in the sidebar at all times, no matter if they're tied to a specific group or not. If you try to open a group-specific search while in a different group, youโ€™ll be prompted to switch to the appropriate group so the search results can be shown.

Quick searchesโ€‹

Quick searches are default searches with pre-combined filters for a specific use case. They are crafted by our experts to address the most frequent needs and offer a great starting point for exploring and understanding how Insights work.

In other words, these searches are used to search across the group the user has currently selected in the Portal header, but are specificall designed to cover most prominent use cases.

The quick searches have been divided into categories, depending on the issues the filters are targeting. These categories are, in order they appear in the UI:

  • Malware - used to identify malicious and suspicious software components to prevent threats from reaching production
  • Tampering - check software for any indicators of tampering and software supply chain compromise
  • Secrets - used to detect any sensitive information that may be present in your software packages
  • Vulnerabilities - help users prioritize vulnerabilities based on additional parameters outside the vulnerabilities themselves
  • Hunting - used for classical threat hunting, helping users find threats before they become known
  • License - used to detect compliance issues

Under quick searches, there are some toxic combinations. Toxic combinations are pre-determined combinations of filters that increase the urgency for issue remediation. These issues should be triaged among the first because no relevant mitigation for detected vulnerabilities has been detected. All quick searches targetting these issues have the Toxic label in their name.

Editing filters for quick searches

Same as for custom searches, filters for quick searches can also be added or removed. This does not affect the pre-determined search, but instead, it creates a new custom search with all selected filters. You can then either save or discard the change. When saved, the new search can be found under My searches and can be used in any group. The quick search you added the filter to remains untouched.

Search results (insights)โ€‹

Search results are a list of issues matching the selected search filters. They are also referred to as "insights".


The Insights page header shows the following:

  • which search you have open
  • which filters have been used to get the results
  • which group the search is targetting
  • how many insights have been found
  • details on each insight

From the page, you can also order the results by the following values from the Sort By dropdown:

  • affected packages
  • affected versions
  • effort

Each search result is an expandable card.

Insight card detailsโ€‹

Each search card contains the following information:

  • issue name and its CI/CD status
  • risk the issue causes
  • effort required to remediate the reported issue
  • SAFE Level
  • short issue description
  • clickable filters that can make the search more specific
  • details on the affected packages and versions, and whether the affected versions have been released or not

Hovering over the (i) icon next to the effort shows you how it's calculated.

All search terms (filters) can be added to the search query with one click. This action refines the search and can reduce the number of matches.

Details on the affected packages and versions allow you to decide whether the release process needs to be stopped since the released version is affected or the issue can be remediated before the version is released to the public.

When expanded, insight cards allow you to promptly see which versions are affected by the issue and how the issue can be resolved. From the card, you can get the following information:


Each insight card can be zoomed in from the window button in the upper right corner of the header. This allows you to put the focus on the issue itself. Once zoomed in, you can also hide the issue header with basic information on the issue.

Affected Versionsโ€‹

The Affected Versions graph indicates how many versions of the package have been affected by the issue over time.


The versions in this graph can be grouped by:

  • Upload Date, showing when the affected versions have been uploaded
  • Release Date, showing how the issue is affecting releases by their release date
  • Approval Date, showing if the versions have been approved when the issue arose

From each view in the graph, it's obvious at a glance how many affected versions have a PASS or FAIL status at a certain point in time. Hovering over the graph shows the precise number of versions that passed and failed.

The information provided here allows you to plan and gauge the urgency of that particular issue.

Affected Components by Ageโ€‹

The Affected Components by Age graph is similar to the Affected Versions graph.


It visualizes the timeline of when each affected component was introduced into the analyzed software package. The information about component age helps you assess the potential for software decay and understand how introduced risks are distributed over the years.

The most likely age of a component is calculated by taking the oldest date from the following:

  • When the file was first seen in the ReversingLabs Cloud
  • When the file was compiled (excluding reproducible builds)
  • When the file was created or modified on the filesystem (archives and disks)
  • When the file was signed and countersigned for time-stamping

Publish date in which no components were introduced are excluded from the chart.

Hovering over the Affected Components by Age graph shows the number of components that passed and failed per publish date.

Top 10 Affected Publishersโ€‹

This chart displays the number of software publishers affected by the issue in question.


It gives insight into the issue prevalence among various publishers. In other words, it answers the question on whether the issue is common only in 1 publisher or more.

Top 10 Affected Communitiesโ€‹

This chart displays the number of communities affected by the issue in question.


It gives insight into the issue prevalence in various communities. In other words, it answers the question on whether the issue is common only in 1 community or more.

Versionsโ€‹

Versions table is similar in appearance to the one on the Projects page. It displays all versions affected by the issue targeted by the selected search filters.


For each version, you can promptly see its details:

  • Info - a dropdown containing version metadata, its SAFE Assessment, the SAFE Levels chart, and a list of components affected by the issue. Clicking on the file name in the list of components takes you directly to the Components > File Info part of the SAFE report
  • Status - the overall CI status (pass or fail) of the package version
  • Approval - if the package version was approved (manually or automatically) or rejected for use in your organization, if its approval was revoked, or if it's still awaiting approval
  • pURL - a hyperlink indicating the name of the project, package, and the version affected by the issue. Clicking on it takes you directly to the Summary page of the version report
  • SAFE Assessment - a summary of key risks or safety concerns found in your software
  • Released - the release date of a package version

Next stepsโ€‹

To learn how to work with searches on the Insights page, go to the Insights workflows page.