Skip to main content

ReversingLabs SAFE report

The ReversingLabs SAFE report is an analysis report created by Spectra Assure products using the advanced, unique ReversingLabs technology to unpack software binaries, extract deep layers of metadata, and detect software supply chain risks. Its purpose is to capture the risk assessment, as well as to provide improvement guidance through Levels and mitigation guidance through Issues.

The SAFE report shows detailed analysis results for each software package version uploaded to your Portal instance or analyzed with rl-secure. It is also the only report format that can contain diff information.

The SAFE report can be bundled with all the available report types and saved as the RL-SAFE archive. This portable archive format can either be generated with the rl-safe pack command or exported from the Portal. Viewing the SAFE report from the archive is possible only with the dedicated SAFE Viewer application.

When the SAFE report is generated with the rl-secure report command, it comes in the form of a standalone HTML file saved to the initialized package store. This report can then be freely shared with others or regenerated after configuring the analysis settings. When a package version is deleted, so is its report.

On the Portal, the SAFE report is the default report you can access for any software package version uploaded and analyzed by you or the members of the group you belong to. This is possible for files on the File Stream and Projects pages. The reports for software package versions on the Projects page can be shared with others directly from the Report page.

The look and feel of the SAFE report remains constant across all Spectra Assure products. This means that a standalone report generated with rl-secure includes the same elements as the complete report you share with others via Portal UI, open directly from the Portal, or export and view in the SAFE Viewer app.

No matter where you open the report from, you always land on the report summary page. This page is also known as the risk analysis report since its purpose is to give users insight into the quality of their software at a glance, without going into too much detail. From this summary, users of all levels of experience and knowledge are able to infer the risks the analyzed software carries and any evident issues that are cause for concern.

Vendors and auditors will benefit the most from the information contained in the report. The report provides vendors with all information they need to identify issues for resolution. To auditors, it offers deeper visibility into third-party software risk while providing all software provenance information required for compliance purposes.

How to access the SAFE reportโ€‹

The SAFE report can be accessed from the following Spectra Assure products:

  • CLI
    • using the rl-secure report rl-html command
    • using the rl-safe pack all command and opening the archive with the SAFE Viewer
  • Portal
    • by selecting analyzed software packages on File Stream and Projects
    • by exporting the RL-SAFE archive and opening it with the SAFE Viewer
  • Portal APIs

CLIโ€‹

After successfully scanning the desired file, the next step is saving the complete analysis report in either of the following ways:

Input

rl-secure report rl-html pkg:rl/my-project/my-package@v1 --output-path .

Output

Software my-project/my-package@v1
Exporting results to: .
  rl-html report ... done

To work with the saved report, access the location where you exported it. By default, the report file is named sdlc.html and placed into the automatically created rl-html directory. The __deps subdirectory contains all assets required to display the SAFE report.

Portalโ€‹

On the Portal, you can view the SAFE report for any file uploaded by you or any member of the groups you belong to. The report is available for all version files uploaded to File Stream and Projects.

File Streamโ€‹

On the File Stream, the report can be accessed in multiple ways:

  • from the Info dropdown, by selecting the View Report option
  • from the Software table, by selecting the name of the software package version
  • from the Actions menu at the end of each table row, by selecting the View Report option

To better understand all the available options for accessing the report, use this interactive visualization.

Projectsโ€‹

On the Projects page, you can get the report in any of the following ways:

  • from the Info dropdown, by selecting the Details option for the desired artifact report. For the main report, select Show all checks > Software package analysis Details. If any other checks have been performed for a package version, they can be accessed from here
  • from the Releases table, by selecting the software package version in the Version field
  • from the Actions menu at the end of each table row, by selecting the View Report option

To better understand all the available options for accessing the report, use this interactive visualization.

No matter how you choose to access the SAFE report or from which Portal page, it will always open inside a new tab in the navigation header of the Portal. Once you're on the report page, you can either download the software package version that has been analyzed or export the following:

  • the entire report, in the RL-SAFE format
  • SBOM, in either the CycloneDX or SPDX format
  • Issues, in the SARIF format
  • Vulnerabilities, in the RL-CVE format
  • Networking, in the RL-URI format

Portal APIโ€‹

The Spectra Assure Portal API can export the entire SAFE report with the Export RL-SAFE archive endpoint. This report is in the RL-SAFE archive format and can only be viewed with the SAFE Viewer.

Another way to access the SAFE report is to get the permanent URL of a software package version with the Show analysis status endpoint. The URL field in the response (report.info.portal.reference) contains all information on the exact position of the file in the Portal UI, making the file and its report easier to find. You can then use the Portal to open the report or share it with others.

Parts of the SAFE reportโ€‹

The report can be divided into two main parts:

The sidebar on the left-hand side of the Report page is used for navigating between different parts of the report. It is always visible, which means you can access it from every category in the report. To focus more on the contents of the report, the sidebar can also be collapsed, which does not hinder the access to the relevant elements.

The report sidebar contains items in the following order:

  1. The CI/CD status graphic for the analyzed package version
  2. Full name of the package version, including its extension
  3. Type of the analyzed package version. You can see the supported list of file formats here
  4. Size of the package version (in MB)
  5. A copiable SHA256 hash of the package version
  6. A list of pages found in the report. More details on each page can be found here

To better understand how the sidebar looks in the report, use this interactive visualization.

Report pagesโ€‹

The SAFE report consists of various pages, each offering a detailed account of items relevant for every category. These pages can always be accessed from the left-hand side of the report screen, no matter where you are in the report.

All information on your analyzed package version is organized in the following way:

  1. Summary - an overview of crucial information organized by category
  2. Bill of Materials - a comprehensive list of dependencies and components found in the analyzed package version
  3. Triage - a category covering all identified gaps in your software that need evaluating and addressing
    • Issues - details on each violated policy with advice on how to resolve any issues
    • Vulnerabilities - details on every identified vulnerability in the package version
    • Secrets - details on all sensitive information found in the analyzed package version and advice on how to deal with them
  4. Audit - a category covering all information used to assess the quality of the software
    • Behaviors - a comprehensive list of potentially malicious behaviors detected in the package version
    • Signatures - information on certificates attached to the package version
    • Networking - a comprehensive list of URIs detected in the package version
    • Components - hierarchical structure of all folders and files inside the package version
    • Licenses - a list of all licenses identified in the package version
    • Policies - a list of all policies on the Portal and audit information on each
    • File Statistics - a graph showing the number of files per filetype extracted from the package version

Summary and Bill of Materials are standalone pages, while other pages are organized into categories depending on their purpose. Every time you open the SAFE report for any analyzed software package version, the Summary page is shown by default.

The list of pages in your SAFE report depends on whether you're looking at the main artifact report, the report that includes differential analysis results, or the report for a reproducible build artifact.

Version with a diffโ€‹

When looking at a report with differential analysis results, the report sidebar includes the Version diff category with additional pages - Issues and Files.

The Version diff > Issues page displays all issues that were either resolved or introduced since the last version. You can filter the issues by category and expand every issue to show more details about it, including the files newly impacted by introduced issues. It's important to differentiate this page from the Triage > Issues page, which shows all detected issues in the version whose report you're viewing.

The Version diff > Files page displays all files that were modified between versions. You can filter the files by name and change type, and expand each file to show additional information, including a detailed list of changes. This makes it easier to pinpoint the exact elements of your software that have been modified.

Reproducible buildsโ€‹

Reports for reproducible build artifacts include the Reproducibility page under the Audit category. This page indicates the reproducibility check status and shows a summary of differences between the reproducible build artifact and the main artifact ("Reference Version" in the report).

If the reproducibility check failed, changes that caused it are listed in the report and can be filtered by type. If any files have been modified between the main artifact and the reproducible build artifact, they are listed in the report and can be filtered by the type of a change. In other words, you can show only files that have been added, removed, or modified.

Report contentโ€‹

Clicking on any category in the sidebar opens a new page on the right-hand side of the screen. To learn more about the contents of a specific page, select it in the following list: