Report summary

The Summary page, also referred to as the risk analysis report, is the landing page of the report. Its purpose is to give users insight into the quality of a software at a glance, without going into much detail.

From this summary, users of all levels of experience and knowledge are able to infer the risks the analyzed software carries and any evident issues that are cause for concern.

Information on the page is arranged in the top-down approach. This allows users to go from a more general overview of the key risks in the analyzed software to more detailed visual elements with just a few scrolls.

Nearly all elements on the page are interactive, so users can instantly access more details on any information provided on the page. This way, an overwhelming amount of information is not thrown at users and they can promptly identify gaps in a software. They're then able to focus their resources on resolving them, without wasting time searching for the information they need.

Navigating the Summary page

All report pages share a sidebar on the left-hand side, which is used for navigating between different parts of the report. It is always visible, which means you can access it from every category in the report. To focus more on the contents of the report, the sidebar can also be collapsed, which does not hinder the access to the relevant elements.

The report Summary for package versions on the Portal Projects page have an additional banner. From there you can generate the links for sharing the report with people who might not have a Portal account.

At the top of every report Summary page you can find a full name of the package version, including its extension, its license, time of its last scan, and the scan duration.

Report summary consists of the following sections in the order they appear on the page:

1. Summary cards - includes the information on the worst detected deployment risks, issues, vulnerabilities, and malicious files in the analyzed software
2. Summary panels - includes a summary of key software safety concerns per risk assessment category, SAFE Levels graphic (for the main package version artifact only), and a list of checks performed against all artifacts in the version
3. Charts - includes charts displaying detected issues, a vulnerability exploitation lifecycle with most critical vulnerabilities for each stage detected in your software, detected malicious components, and key risks or safety concerns per risk assessment category

Disabled risk categories

If any entitlement restrictions are imposed on your license, every disabled risk category is greyed out. In this case, the disabled category data is not included in the report and cannot be accessed.

To better understand how this page is organized, use this interactive visualization.

Summary cards

The first thing you see when you open the Summary page are the four summary cards right at the top. They show the information on the most critical risks found in the analyzed software. Each card represents a specific category:

Deployment Risk card

Most critical risk detected in the analyzed software. There are six main risk categories in Spectra Assure. When there are multiple risks from different categories that can be marked as having the worst outcome for the end-user, the following order applies: Malware, Tampering, Vulnerabilities, Secrets, Hardening, Licenses. However, if any reproducibility differences exist or suspicious behavior differences are present, Tampering always takes the highest priority.

Issues Found card

The total number of issues detected in the analyzed software, as well as how many policies have been evaluated. The Spectra Assure products evaluate all enabled policies and recognize all policy violations as detected issues. Each detected issue is counted only once per entire package, no matter how many files it's found on. Clicking on the number of evaluated policies at the bottom of the card opens the Policies page of the report with a filter set to enabled policies. The data shown here is illustrated and expanded in more detail in the Issues chart below.

Vulnerabilities card

The total number of vulnerabilities found in the analyzed software. Out of all detected vulnerabilities, it singles out the most critical one based on the following priority: Patch mandated vulnerabilities, Malware exploits, Proven exploits, Critical severity vulnerabilities, High severity vulnerabilities, Medium severity vulnerabilities, Low severity vulnerabilities. Clicking on the singled out vulnerability at the bottom of the card opens the Vulnerabilities page of the report with a filter set to the type of the vulnerability. The data shown here is illustrated and expanded in more detail in the Vulnerabilities chart below.

Malicious Files card

The total number of malicious files in the analyzed software. At the bottom, you'll find a total number of worst malicious or suspicious threats detected in any component of the analyzed software. Clicking on it opens the Issues page of the report with a filter set to the Malware detection policy category. The data shown here is illustrated and expanded in more detail in the Malware chart below.

Summary panels

Directly below the cards, there are three panels that allow you to quickly detect the most critical gaps in your software per category, determine the position of your software on the Levels scale, and see what checks were done on all artifacts in the version.

SAFE Assessment

A summary of key risks or safety concerns found in your software. Detected risks are grouped according to their shared characteristics:

1. Compliance - Identified discrepancies in your software. Includes license compliance issues (Licenses) and detected sensitive information (Secrets)
2. Security - Identified issues regarding the safety of the analyzed software. Includes detected known vulnerabilities (Vulnerabilities) and application hardening issues (Hardening)
3. Threats - Identified issues that could cause harm to your organization. Includes evidence of software tampering (Tampering) and evidence of malware inclusion (Malware)

To better understand the data shown in this section, use this interactive visualization.

For each category, the amount of most critical issues is stated. Clicking on that number opens the Issues page of the report with a filter set to the policy triggered by the reported issue.

This section offers an insight into the amount of policies that have been disabled. It also allows you to see the full list of policies on the Policies page.

SAFE Levels graphic

SAFE Levels provide a guided approach to improving overall software quality by pointing developers to key software safety concerns.

A SAFE Levels graphic is available on the Summary page only for the main artifact, as Levels are not applicable to reproducible build artifacts.

On this graphic, you can see the currently configured level (Scan Level) and the path to the next level your package can attain (Best Level). If the path is clear, Scan Level is highlighted and animated.

If there are issues to resolve, this section indicates their total amount. Clicking on the Fix X issues opens the Issues page of the report with the filter set to the desired level and the Pass CI/CD status.

The amount of issues per category is shown when you hover over each level badge. Clicking on that number opens the Issues page of the report with the filter set to the policies triggered by the selected issues and the Fail CI/CD status.

Scan Level can be equal to Best Level when it's the highest level your package can attain without any changes.

When Best Level is lower than Scan Level, that indicates the actual level your package was able to attain. It cannot attain the currently configured level until you resolve all issues between Best Level and Scan Level.

Performed Checks list

Checks performed against all artifacts in the version.

This information can also be found in the Info dropdown for a package version or displayed with the rl-secure checks command.

The following check types can be displayed:

• Software package analysis - standard scan of the main package version artifact. Clicking on the Issues text at the end of the row leads you to the Triage > Issues page of the report
• Diff with: <version> - comparison of the main package version artifact with another package version. Clicking on the Diff text at the end of the row leads you to the Version diff > Issues page of the report
• Software package analysis: repro - standard scan of the reproducible build artifact. Clicking on the Repro Report text at the end of the row leads you to the Audit > Reproducibility page of the report
• Diff with: repro - comparison of the main package version artifact and its reproducible build artifact. Clicking on the Repro Check text at the end of the row leads you to the Audit > Reproducibility page of the report
• Reproducible build check - functional and behavioral similarity check between the main and the reproducible build artifacts. Clicking on the Repro Check text at the end of the row leads you to the Audit > Reproducibility page of the report

Clicking on the text at the far right of each performed check leads you to the corresponding page. There you can see all detected issues that determine the status of the check.

To better understand the data shown in this section, use this interactive visualization.

The first check (Software package analysis) is the default and always present for all analyzed package versions. Other checks are displayed only if they have actually been performed for a package version.

Every check type is assigned a label that shows the status information (pass or fail) for the check. The first two characters in the label are used to distinguish between check types:

• L(n) - software package analysis with SAFE Levels enabled
• CI - software package analysis with SAFE Levels disabled
• C(n) - software package analysis with custom SAFE Levels
• DF - comparison (diff) between package version artifacts
• RB - reproducible build check

Charts

The last part of the Summary page are the four chart sections.

The Issues, Vulnerabilities, and Malware sections list the most critical risks found during analysis, while the corresponding charts illustrate all detected issues in each category. The data found here expands the information summarized in the cards at the top of the Summary page.

The SAFE Assessment Evaluations charts provide more details on each risk category from the SAFE Assessment panel near the top of the Summary page.

Issues chart

This section surfaces 5 most important software quality issues found during software package analysis.

These issues are selected by priority, which means that the issue with the highest priority is always at the top of the list.

Any disabled policies for your group or organization impact the analysis results. Thanks to the Failed, Suppressed, and Disabled boxes in the very center of the section, it is obvious at a single glance whether the analysis results are accurate or if most of the issues were swept under rug.

The radar chart at the far right of the section illustrates the total count of all issues detected during analysis per priority. This helps you prioritize issues for fixing and evaluate where the majority of your problems lie.

The entire section has elements that allow you to see more details with one click:

1. The priority icons next to each issue on the list. This opens the Issues page of the report with a filter set to the policy triggered by the reported issue
2. Failed, Suppressed, and Disabled boxes. This opens the Policies page of the report with a filter set either to priority and CI/CD status (in case of Failed or Suppressed) or to policy state (in case of Disabled)
3. The priority icons on the radar chart. This opens the list of issues that have that priority on the Issues page of the report
4. Total Issues count below the radar chart. This opens the list of all detected issues in that software package version
5. All Issues in the upper right corner of the section. This also opens the list of all detected issues in that software package version

Vulnerabilities chart

A visual representation of a vulnerability lifecycle.

Ideally, this graph should show as few issues as possible on its right-hand side, since the red-colored phases are considered cause for concern. The graph consists of the following four stages:

1. CVE Discovered - software composition analysis has identified one or more known vulnerabilities
2. Exploit Exists - available threat intelligence telemetry has confirmed that the reported vulnerabilities are actively being exploited by malicious actors
3. Exploited by Malware - available threat intelligence telemetry has confirmed that the reported vulnerabilities are actively being exploited by malicious actors. Malware code that propagates through these vulnerabilities has been created
4. Patching Mandated - vulnerabilities are in the CISA Known Exploited Vulnerability (KEV) catalog

For each stage, you can see the top 3 vulnerabilities based on their severity. This means that known vulnerabilities of high and critical severity get propagated first. Upon hover, you can see the entire CVSS score and information for every detected vulnerability on that list.

A total count of detected vulnerabilities is also available for every phase, along with the amount of vulnerabilities that can be fixed by updating the dependency to the newer version. Some vulnerabilities can belong to multiple categories and as such, they contribute to the total number for every category.

The entire section has elements that allow you to see more details with one click:

1. Total number of active and triaged vulnerabilities detected in the analyzed software. This opens the Vulnerabilities page of the report
2. All Vulnerabilities in the upper right corner of the section. This also opens the list of all detected vulnerabilities in that software package version
3. Each CVE ID and the severity icon next to it. This opens the Vulnerabilities page of the report with a filter set to the CVE ID of the vulnerability in question

Malware chart

This section surfaces 5 most severe malicious threats found during software package analysis.

These issues are selected by threat factors and are ranked from worst to least severe. Their severity is determined by the type of every detected malicious threat. A bar chart at the far left of the section sorts these threats by count and threat type.

Spectra Assure detects the following threat types, ordered alphabetically:

Threat types

Adware 
Backdoor 
Browser 
Certificate 
Dialer 
Downloader 
Exploit 
Format 
Hacktool 
Hyperlink 
Infostealer 
Keylogger 
Malware 
Network 
Packed 
Phishing 
PUA 
Ransomware 
RAT 
Rogue 
Rootkit 
Spam 
Spyware 
Trojan 
Virus 
Worm 

To view the list of all detected malicious components in that software package version, select All Malware Detection Issues in the upper right corner of the section.

To better understand the data shown in this section, use this interactive visualization.

SAFE Assessment Evaluations charts

This section clearly illustrates the relationship between policies, policy violations, and risks.

The charts found here provide more details on each risk category from the SAFE Assessment panel at the top of the Summary page. For every category, the corresponding chart shows the following data:

1. The name of the category and its status
2. The total number of evaluated policies in the category. If any policies in this category have been disabled, you can view them by clicking the greyed-out text. To view all enabled policies for the category, select the number of evaluated policies. Both actions take you to the Policies page
3. How many policies out of the total number of evaluated policies have failed, triggered a warning, and passed. If data for any status is missing, that status won't be shown
4. The total number of detected risks in this category
5. Top 3 risks that caused the warning or failing status for the category. If more risks are available, you can see the full list by clicking on the text below

To better understand the data shown in this section, use this interactive visualization.