Skip to main content

ReversingLabs SAFE report

The ReversingLabs SAFE report is an analysis report created by Spectra Assure products using the advanced, unique ReversingLabs technology to unpack software binaries, extract deep layers of metadata, and detect software supply chain risks. Its purpose is to capture the risk assessment, as well as to provide improvement guidance through Levels and mitigation guidance through Issues.

The SAFE report shows detailed analysis results for each software package version uploaded to your Portal instance or analyzed with rl-secure. It is also the only report format that can contain diff information. When a package version is deleted, so is its report.

The look and feel of the SAFE report is consistent across all Spectra Assure products. This means that the SAFE report generated with rl-secure includes the same elements as the SAFE report you open directly on the Portal, share with others from the Portal Projects, or export as an archive to view in the SAFE Viewer app.

No matter where you open the report from, you always land on the report summary page. This page is also known as the risk analysis report since its purpose is to give users insight into the quality of their software at a glance, without going into too much detail. From this summary, users of all levels of experience and knowledge are able to infer the risks the analyzed software carries and any evident issues that are cause for concern.

Vendors and auditors will benefit the most from the information contained in the SAFE report. The report provides vendors with all information they need to identify issues for resolution. To auditors, it offers deeper visibility into third-party software risk while providing all software provenance information required for compliance purposes.

Accessing the SAFE reportโ€‹

You can access the SAFE report in the following Spectra Assure products:

Additionally, the SAFE report can be bundled with all available report types and saved locally as the RL-SAFE archive. Viewing the SAFE report from the archive is possible only with the dedicated SAFE Viewer application.

To get the SAFE report in the portable archive format, you can:

On the Portal, reanalyzing a file regenerates its RL-SAFE archive. In the CLI, a new RL-SAFE archive must be created with rl-safe pack after reanalyzing a file.

CLIโ€‹

After successfully scanning the desired file, the next step is saving the SAFE report in either of the following ways:

In the CLI, the SAFE reports do not refresh automatically after reanalyzing files. To regenerate the SAFE report, you have to create it again with the command appropriate for the report format.

Input

rl-secure report rl-html pkg:rl/my-project/my-package@v1 --output-path .

Output

Software my-project/my-package@v1
Exporting results to: .
  rl-html report ... done

To work with the saved report, access the location where you exported it and open it in a web browser. By default, the report file is named sdlc.html and placed into the automatically created rl-html directory. The __deps subdirectory contains all assets required to display the SAFE report.

Portalโ€‹

On the Portal, the SAFE report is the default report created for any software package version uploaded and analyzed by you or the members of the group you belong to. The report is available for files on the File Stream and Projects pages. In Projects, the SAFE report for each analyzed package version can be shared with others directly from the report page.

Reanalyzing a file on the Portal regenerates its SAFE report. The PDF Summary for a file is automatically regenerated after every Portal upgrade to a new release, even if the file is not reanalyzed.

No matter how you choose to access the SAFE report or from which Portal page, it will always open inside a new tab in the navigation header of the Portal.

File Streamโ€‹

On the File Stream, the report can be accessed in multiple ways:

  • from the Software table, by selecting the name of the software package version
  • from the Info dropdown, by selecting the View Report option
  • from the Actions menu at the end of each table row, by selecting the View Report option

To better understand all the available options for accessing the report, use this interactive visualization.

From the top of the report page, you can move the file to a project and use the Export menu. The Export menu in File Stream lets you download the software package version that has been analyzed and the following report parts:

  • the report summary, in the PDF format
  • xBOM in either the CycloneDX or SPDX format (SPDX excludes CBOM)
  • Issues, in the SARIF format
  • Vulnerabilities, in the RL-CVE format
  • Networking, in the RL-URI format

Projectsโ€‹

On the Projects page, you can get the report in any of the following ways:

  • from the Releases table, by selecting the software package version in the Version field
  • from the Info dropdown, by selecting the Details option for the desired artifact report. For the main report, select Show all checks > Software package analysis Details. If any other checks have been performed for a package version, they can be accessed from here
  • from the Actions menu at the end of each table row, by selecting the View Report option

To better understand all the available options for accessing the report, use this interactive visualization.

From the top of the report page, you can share the report and use the Export menu. The Export menu in Projects lets you download the software package version that has been analyzed and the following report parts:

  • the report summary, in the PDF format
  • the entire report, in the RL-SAFE format
  • xBOM in either the CycloneDX or SPDX format (SPDX excludes CBOM)
  • Issues, in the SARIF format
  • Vulnerabilities, in the RL-CVE format
  • Networking, in the RL-URI format

Portal APIโ€‹

The Spectra Assure Portal API can export the entire SAFE report with the Export RL-SAFE archive endpoint. This report is in the RL-SAFE archive format and can only be viewed with the SAFE Viewer.

Another way to access the SAFE report is to get the permanent URL of a software package version with the Show analysis status endpoint. The URL field in the response (report.info.portal.reference) contains all information on the exact position of the file in the Portal UI, making the file and its report easier to find. You can then use the Portal to open the report or share it with others.

Understanding the SAFE reportโ€‹

The SAFE report layout is divided into two main parts:

The sidebar on the left-hand side of the SAFE report is used for navigation. It is always visible, which means you can access it from every section of the report. To focus more on the contents of the report, the sidebar can also be collapsed, which does not hinder the access to the relevant elements.

The report sidebar contains items in the following order:

  1. The CI/CD status graphic for the analyzed package version
  2. Full file name of the package version
  3. Identified file format of the package version. If it is not on the list of supported file formats, the SAFE report will include only partial information
  4. Size of the package version (in MB)
  5. A copiable SHA256 hash of the package version
  6. A list of all SAFE report pages

To better understand how the sidebar looks in the report, use this interactive visualization.

Report contentโ€‹

The SAFE report consists of multiple pages, each offering a detailed account of items relevant for every category. These pages can always be accessed from the left-hand sidebar, no matter where you are in the report.

All information on your analyzed package version is organized in the following way:

  1. Summary - an overview of crucial information organized by category

  2. Bill of Materials - a category covering all identified parts of your software

    • Software - a comprehensive list of components and dependencies found in the analyzed package version
    • Services - a comprehensive list of services found in the analyzed package version
    • ML Models - a comprehensive list of machine learning models found in the analyzed package version
    • Cryptography - a comprehensive list of cryptographic assets found in the analyzed package version

  3. Triage - a category covering all identified gaps in your software that need evaluating and addressing

    • Issues - details on each violated policy with advice on how to resolve any issues
    • Malware - a comprehensive list of malicious and suspicious components detected in the analyzed package version
    • Vulnerabilities - details on every identified vulnerability in the package version
    • Secrets - details on all sensitive information found in the analyzed package version and advice on how to deal with them
    • Licenses - a list of all licenses identified in the package version

  4. Audit - a category covering all information used to assess the quality of the software

    • Behaviors - a comprehensive list of potentially malicious behaviors detected in the package version
    • Signatures - information on certificates attached to the package version
    • Networking - a comprehensive list of URIs detected in the package version
    • Components - hierarchical structure of all folders and files inside the package version
    • Policies - a list of all policies on the Portal and audit information on each
    • File Statistics - a graph showing the number of files per filetype extracted from the package version

Every time you open the SAFE report for any analyzed software package version, the Summary page is shown by default.

The list of pages in your SAFE report depends on whether you're looking at the main artifact report, the report that includes differential analysis results, or the report for a reproducible build artifact.

Version with a diffโ€‹

When looking at a report with differential analysis results, the report sidebar includes the Version diff category with additional pages - Issues and Files.

The Version diff > Issues page displays all issues that were either resolved or introduced since the last version. You can filter the issues by category and expand every issue to show more details about it, including the files newly impacted by introduced issues. It's important to differentiate this page from the Triage > Issues page, which shows all detected issues in the version whose report you're viewing.

The Version diff > Files page displays all files that were modified between versions. You can filter the files by name and change type, and expand each file to show additional information, including a detailed list of changes. This makes it easier to pinpoint the exact elements of your software that have been modified.

Reproducible buildsโ€‹

Reports for reproducible build artifacts include the Reproducibility page under the Audit category. This page indicates the reproducibility check status and shows a summary of differences between the reproducible build artifact and the main artifact ("Reference Version" in the report).

The reproducible build check is sensitive to any differences between a main version artifact and its reproducible build artifact. This means that this check will fail if any of the following is found:

  • behavioral changes
  • hash changes for script languages
  • format and classification changes
  • new issues/vulnerabilities

For example, if the package version and its artifact have the same behaviors, but the artifact was recompiled at some point, the only differences between the two are in their timestamps and hashes. In this case, the reproducibility check passes since no critical differences are found between the version and its artifact.

The reproducible build check also passes when the package version and its artifact are identical.

The Reproducibility page of the artifact report is organized in the following way:

  • reproducibility check status and the comparison of two builds
  • a list of changes causing the reproducibility check to fail that can be filtered by the type of a detected problem. If the check passes, this part is omitted
  • a list of modified files between versions (if any). They can be filtered by the type of a change, i.e., the page can show only files that have been added, removed, or modified

Next stepsโ€‹

To learn more about a specific page in the SAFE report, select it in the following list:

OSZAR »