Skip to main content

Spectra Assure Portal Release Notes

This page is a chronological overview of the most important features and improvements across Spectra Assure Portal product releases.

You can always check the list of the most recent major features by clicking "Feature spotlight" in the footer of your Portal instance.



Expanded License Coverage​

New policies have been added to detect and report issues with software licenses, such as the presence of copyleft licenses, restricted licenses, and licenses with aggressive enforcement.

Integrity and Diagnostics​

New policies have been added to report data integrity issues and information about errors or warnings encountered by the scan engine when unpacking files or analyzing content.

Disk Image Formats​

The Spectra Assure scan engine can now unpack VMDK, OVA, VDI, VHD, and VHDX disk image formats that use a Windows (FAT/NTFS) or Linux (EXT) file system.

PHP/Packagist Support​

Spectra Assure now includes vulnerability detection for PHP open source libraries hosted on

Python SDK​

We have published a Python-based SDK as a wrapper for the Spectra Assure Portal API. Customers can leverage the SDK to expedite integrations with external systems.



Spectra Assure users can now download vulnerability data in CSV format using the "Export" button within the report banner. These "RL-CVE" reports enable offline preservation of software vulnerability data for audit purposes and facilitate information sharing for stakeholders who do not maintain access to the portal.

Automatic CVE Triage​

Spectra Assure now automatically triages CVEs identified in package dependencies when vulnerable code is not present in the Software Bill of Materials. This enhancement improves the solution's detection efficacy and minimizes the burden of manual review. Automatically suppressed vulnerabilities appear with a tag β€œTriaged” in the report.


Configurable Shareable Reports​

Spectra Assure users now have the option to configure shareable reports. This includes the ability to password protect reports, as well as restrict the ability to download related outputs of the analysis (software package, SBOM in CycloneDX or SPDX, or SARIF). These new configurable shareable reports foster transparency between software publishers and enterprise buyers while enabling granular control of the sensitive information uncovered during analysis.


Spectra Assure Now GA​

We are thrilled to announce the renaming of ReversingLabs SSCS to Spectra Assure for General Availability (GA). This change is a reflection of our commitment to continued innovation within the product, aiming to provide our customers with the best possible user experience.

Threat Hunting​

Users can now apply threat hunting (TH) policies to detect a software compromise based on the presence of malicious behaviors, suspicious network references, and other common attack indicators in a single package. These new policies will help quickly surface indicators of software tampering to the user.

Enhanced Differential Analysis​

The solution can now detect software tampering by identifying when new behaviors resembling previously known attacks are introduced between two release versions. By categorizing behaviors of these high-profile attacks, ReversingLabs can help organizations ensure future release versions are protected from compromise.

New Behavior Metadata​

The β€œBehavior” tab in the report now includes metadata that describes how each behavior is commonly triggered and the prevalence of the behavior in the Open Source Community from which the component exhibiting the behavior was sourced. New filters have also been added to navigate and sort by behaviors with ease.


Shareable Reports​

Users can now share reports of a specific software package version for a limited time from the Projects page with individuals who do not have an SSCS Portal account. The workflow provides options for different link expiration timeframes and the ability to stop sharing at any time.

This capability facilitates seamless collaboration with external parties for various use cases. A software producer could share a report with a supplier identifying an issue for resolution. A software buyer could share a report with an auditor for visibility into specific analysis results.


Secrets Liveness Check​

Users can now validate whether detected secrets are active and subject to abuse. This liveness check helps automatically triage leaked secrets by understanding if they are usable and require further protection or if they have been revoked or expired. This analysis option enables users to accelerate their review process, making informed decisions on secrets which present the most significant risk.

New Secrets Tab​

Sensitive information metadata is now displayed in a single view. This new tab introduces filters to make secrets more accessible, eliminating the hassle of navigating through several report layers to locate an exposed secret.

Enhanced Threat Detection​

The Spectra Assure platform has expanded its detection capabilities to incorporate results from dynamic analysis. RL Cloud Sandbox is now leveraged as an additional reputation source for threat detection.

Left-Hand Report Navigation​

Analysis reports now feature a left-hand navigation to improve ease of review. This enhancement drives more efficient investigation, enabling users to access required information without the need to search or scroll. Users can choose to minimize the navigation bar, increasing the visibility of the relevant results.


Expanded Project Capacity​

To further expand the scale of the SSCS Portal, we have increased the number of possible packages across the organization to 10,000.

Enhanced Member Visibility​

To provide administrators with better visibility into account usage, the Members tab now indicates the last activity date for each user.

Cryptographic Hash Upgrade​

We employ cryptographic hashes to definitively identify components and files, since names and other labels may be inaccurate. We're upgrading all hash references to SHA-256 to virtually guarantee unique identification.


Reproducible Builds​

We are thrilled to introduce the Reproducible Builds feature in this release β€” a significant step towards enhancing the security of your software development pipeline. This feature allows you to effortlessly detect and prevent build tampering, as it automatically verifies the integrity of your CI/CD system by comparing the behaviors of software compiled in separate build environments.

Move Files to Projects​

We have enhanced our file management capabilities, allowing you to move files from the File Stream tab to the Projects tab. With this improvement, you can seamlessly enjoy the benefits of Projects without the need to re-upload files, thus saving your analysis quota.

Enabling ReversingLabs Levels​

Levels are predefined sets of policy controls designed to help you gradually enhance your software security. We have completed the beta period for Levels and are now enabling them for all projects and file streams. The default level applied will match existing behavior and preserve policy overrides without changing analysis results.

New Policy: Detect Political Protest Messages​

Ensure software compliance with proactive checks to identify and flag components containing political protest messages, preventing unintentional distribution of sensitive or harmful content.


Known Exploited Vulnerabilities (KEV)​

The Spectra Assure platform now supports the CISA Known Exploited Vulnerability (KEV) catalog as a source for vulnerabilities assigned the "Patch Mandated" prioritization tag.

New Public APIs​

With new Public API endpoints, you can update and delete projects, packages and versions, and view all projects for any group. To get started, first generate a personal access token in your User Settings, then check the full API reference for details on how to use the APIs.

Duplicate File Upload Check​

If the file you're uploading has already been analyzed, the Portal now warns you that a duplicate record exists, and offers to navigate you to the existing report. This check is performed both in the File Stream and in Projects tabs. If required, you may dismiss the warning and continue with the file upload.

Download Capacity Indicator​

You can now monitor the volume of download capacity that you organization has used on the Analysis Capacity page found within the Settings tab. Download quota is spent for every file downloaded from File Stream and Projects, and the quota is reset monthly.



The Spectra Assure platform brings improved vulnerability detection thanks to new open source vulnerability data, and better vulnerability tracking across software versions and components. In Portal reports, this information is now in a separate Vulnerabilities tab with better filtering and clearer prioritization.

Public APIs​

Automate common actions like uploading packages, creating projects, and exporting different report formats with the new Portal APIs. To get started, first generate a personal access token in your User Settings, then check the full API reference for details on how to use the APIs.

Approved Software Download​

Portal users can now download previously approved software as part of the third-party software risk management workflow. If a file has been approved, you can download it from the actions menu.

Observer Role​

Let your users explore the portal in read-only mode without risk of unwanted changes. Administrators and Group owners can assign the Observer group role to any user from the Group page.



Approvals help your teams manage risk from third-party software and mark files as safe to use. You'll notice this new feature in every file row, where you can click the Actions button to grant or reject approval for each uploaded file.

ReversingLabs Levels​

Levels are optional, predefined sets of policy controls that help you gradually improve your software security. Decide which security goals you want to achieve and choose the corresponding level on the policy configuration settings page.


Single Sign-On will help you manage access to your Spectra Assure organization and control user permissions from a central place. Set it up on the SSO configuration page.