v3.8.1

Author: rl-maartenb

Dockerfile.cache

@@ -1,26 +1,33 @@
 # syntax=docker/dockerfile:1
 
 ARG CACHE_PATH=/tmp/rl-secure.cache
-
-FROM rockylinux:9-minimal
+FROM rockylinux/rockylinux:9-minimal
 ARG CACHE_PATH
+
 COPY scripts/* /opt/rl-scanner/
 RUN --mount=type=secret,id=rlsecure_license --mount=type=secret,id=rlsecure_sitekey <<EORUN
     set -e
     echo ${CACHE_PATH}
+
     microdnf upgrade -y
     microdnf install -y --nodocs python3-pip
     pip3 install --no-cache-dir rl-deploy
     pip3 uninstall setuptools -y
     microdnf remove pip -y
     microdnf clean all
+
     rl-deploy cache \
         --no-tracking \
         --location=${CACHE_PATH} \
         --encoded-key=$(cat /run/secrets/rlsecure_license) \
         --site-key=$(cat /run/secrets/rlsecure_sitekey)
 
-    chmod 755 /opt/rl-scanner/entrypoint /opt/rl-scanner/rl-scan /opt/rl-scanner/rl-prune
+    chmod 755 /opt/rl-scanner/entrypoint
+    chmod 755 /opt/rl-scanner/rl-prune
+    chmod 755 /opt/rl-scanner/rl-scan
+    chmod 755 /opt/rl-scanner/rl-scan-url
+    chmod 755 /opt/rl-scanner/rl-scan-purl
 EORUN
+
 ENV PATH="/opt/rl-scanner:${PATH}"
 ENTRYPOINT [ "/opt/rl-scanner/entrypoint" ]

Dockerfile.no_cache

@@ -1,17 +1,25 @@
 # syntax=docker/dockerfile:1
 
-FROM rockylinux:9-minimal
+FROM rockylinux/rockylinux:9-minimal
+
 COPY scripts/* /opt/rl-scanner/
 RUN <<EORUN
     set -e
+
     microdnf upgrade -y
     microdnf install -y --nodocs python3-pip
     pip3 install --no-cache-dir rl-deploy
     pip3 uninstall setuptools -y
     microdnf remove pip -y
     microdnf clean all
 
-    chmod 755 /opt/rl-scanner/entrypoint /opt/rl-scanner/rl-scan /opt/rl-scanner/rl-prune
+    chmod 755 /opt/rl-scanner/entrypoint
+    chmod 755 /opt/rl-scanner/rl-prune
+    chmod 755 /opt/rl-scanner/rl-scan
+    chmod 755 /opt/rl-scanner/rl-scan-url
+    chmod 755 /opt/rl-scanner/rl-scan-purl
+
 EORUN
+
 ENV PATH="/opt/rl-scanner:${PATH}"
 ENTRYPOINT [ "/opt/rl-scanner/entrypoint" ]

Makefile

@@ -16,6 +16,9 @@ LINE_LENGTH = 120
 PL_LINTERS = "eradicate,mccabe,pycodestyle,pyflakes,pylint"
 PL_IGNORE = C0114,C0115,C0116
 SCRIPTS = scripts/
+RL_SCAN = scripts/rl-scan
+RL_PRUNE = scripts/rl-prune
+RL_INTRYPOINT = scripts/entrypoint
 
 
 .PHONY: build-without-cache build-with-cache push clean format pycheck test test.%
@@ -57,14 +60,34 @@ pylama:
 		--max-line-length $(LINE_LENGTH) \
 		--linters $(PL_LINTERS) \
 		--ignore $(PL_IGNORE) \
-		$(SCRIPTS)
+		$(SCRIPTS)/*
 
-mypy:
+mypy: mypy_a mypy_prune mypy_scan mypy_entry
+
+mypy_a:
 	mypy \
 		--strict \
 		--no-incremental \
 		$(SCRIPTS)
 
+mypy_prune:
+	mypy \
+		--strict \
+		--no-incremental \
+		$(SCRIPTS) $(RL_PRUNE)
+
+mypy_scan:
+	mypy \
+		--strict \
+		--no-incremental \
+		$(SCRIPTS) $(RL_SCAN)
+
+mypy_entry:
+	mypy \
+		--strict \
+		--no-incremental \
+		$(SCRIPTS) $(RL_ENTRYPOINT)
+
 
 all-tests :=  $(addprefix test., $(notdir $(wildcard tests/*)))
 

README.md

@@ -76,7 +76,7 @@ This optional proxy configuration can be provided using environment variables.
 The following environment variables can be used with this image.
 
 | Environment variable | Description |
-| :--------- | :------ |
+| --------- | ------ |
 | `RLSECURE_ENCODED_LICENSE` | Required. The `rl-secure` license file as a Base64-encoded string. Users must encode the contents of your license file, and provide the resulting string with this variable. |
 | `RLSECURE_SITE_KEY` | Required. The `rl-secure` license site key. The site key is a string generated by ReversingLabs and sent to users with the license file. |
 | `RLSECURE_VAULT_KEY` | Optional. Password vault key to use for preserving and accessing passwords in a package store (rl-store). |
@@ -340,7 +340,7 @@ docker run --rm \
 The `rl-scan` helper tool supports the following parameters.
 
 | Parameter | Description |
-| :--------- | :------ |
+| --------- | ------ |
 | `--package-path` | Required. Path to the software package (the file you want to scan). The specified file must exist in the **package source** directory mounted to the container.  |
 | `--report-path` | Required. Path to the location where you want to store analysis reports. The specified path must exist in the **reports destination** directory mounted to the container. |
 | `--report-format` | Required. A comma-separated list of report formats to generate. Supported values: `cyclonedx`, `rl-checks`, `rl-cve`, `rl-html`, `rl-json`, `rl-uri`, `sarif`, `spdx`, `all`. |
@@ -357,7 +357,7 @@ The `rl-scan` helper tool supports the following parameters.
 The following `rl-scan` parameters are applicable only when working with a package store.
 
 | Parameter | Description |
-| :--------- | :------ |
+| --------- | ------ |
 | `--rl-store` | Required when using a package store. Path to an existing rl-secure package store that will be used for the scan. Use this parameter when you already have a package store and want to scan the existing package versions inside it or add new package versions to it. The package store directory must be mounted to the container as a part of the Docker command. |
 | `--purl` | Required when using a package store. Package URL used for the scan (must be in the format `[pkg:namespace/]<project></package><@version>`). Package URLs are unique identifiers used to associate the scanned package version with a project and a package in the rl-store. This parameter must be used together with `--rl-store`. <br /><br />To use the reproducibility checks feature and analyze a reproducible build artifact of a package version, append `?build=repro` to the package URL of the artifact when scanning it: `--purl=project/[email protected]?build=repro`. |
 | `--diff-with` | Optional. Use this parameter to compare (diff) the package version you're scanning against a previous version. The parameter accepts a package version number as the value. The version selected for diffing must exist in the same project and package as the version you're scanning. The package store must be specified with the `--rl-store` parameter. <br /><br /> This parameter is ignored when analyzing reproducible build artifacts. |
@@ -391,7 +391,7 @@ docker run --rm \
 The `rl-prune` tool supports the following parameters.
 
 | Parameter | Description |
-| :--------- | :------ |
+| --------- | ------ |
 | `--rl-store` | Required. Path to an existing `rl-secure` store in which you want to prune the data. |
 | `--purl` | Required. Package URL to prune, in the format `[pkg:namespace/]<project>[</package>[<@version>]]`. |
 | `--before-date` | Optional. Remove all versions scanned before the timestamp specified in ISO-8601 format. |
@@ -400,7 +400,86 @@ The `rl-prune` tool supports the following parameters.
 | `--hours-older` | Optional. Remove all versions with the last scan date older than the specified number of hours. |
 | `--message-reporter` | Optional. Use it to change the format of output messages (STDOUT) for easier integration with CI tools. Supported values: `text`, `teamcity` |
 
-<!-- 2025-06-18; Spectra Assure CLI 2.8.1 has been released; rl-scanner v3.6.1 -->
+## Scanning files from URLs and purls
+
+### rl-scan-url
+
+Scanning a remote HTTP or HTTPS URL can be done with the `rl-scanner` docker image using the `rl-scan-url` command.
+
+example:
+
+```
+
+URL="https://www.7-zip.org/a/7z2500-x64.exe"
+
+docker run --rm \
+    -u $(id -u):$(id -g) \
+    -e RLSECURE_ENCODED_LICENSE \
+    -e RLSECURE_SITE_KEY \
+    -v $(pwd)/report:/report \
+    reversinglabs/rl-scanner \
+        rl-scan-url \
+            --import-url="${URL}" \
+            --report-path=/report
+```
+
+When the URL requires authentication you can use either `--auth-user`, `--auth-pass` or `--bearer-token` to pass authentication information to the URL request.
+
+### rl-scan-purl
+
+Scanning a PURL present at `secure.software` can be done with the `rl-scanner` docker image using the `rl-scan-purl` command.
+For details see the cli documentation at: [importing-files-from-urls](https://docs.secure.software/cli/commands/scan#importing-files-from-urls).
+
+example:
+
+```
+
+PURL="pkg:npm/vue"
+
+docker run --rm \
+    -u $(id -u):$(id -g) \
+    -e RLSECURE_ENCODED_LICENSE \
+    -e RLSECURE_SITE_KEY \
+    -v $(pwd)/report:/report \
+    reversinglabs/rl-scanner \
+        rl-scan-purl \
+            --import-purl="${PURL}" \
+            --report-path=/report
+```
+
+## Configuration parameters for rl-scan-url and rl-scan-purl
+
+For rl-scan-purl or rl-scan-url commands, instead of the `--package-path` parameter specify the `--import-url` or `--import-purl` parameter.
+
+All other parameters for the `rl-scan` command can be used with `rl-scan-url` or `rl-scan-purl`.
+
+- If the PURL or URL requires **basic authentication**, use the `--auth-user` and `--auth-pass` parameters.
+- If the PURL or URL requires **token-based authentication**, use the `--bearer-token` parameter.
+
+### rl-scan-url
+
+Additional parameters for `rl-scan-url`
+
+| Parameter        | Description |
+| --------------   | ------------ |
+| `--import-url`   | Mandatory. The URL to the resource you want to scan, only HTTP or HTTPS are supported. |
+| `--auth-user`    | Optional. If the URL uses `basic authentication` specicy the `user` with this parameter. Cannot be used in combination with `--bearer-token`. |
+| `--auth-pass`    | Optional. If the URL uses `basic authentication` specicy the `password` with this parameter.  Cannot be used in combination with `--bearer-token`. |
+| `--bearer-token` | Optional. If the URL uses `token authentication` specicy the `token` with this parameter. Cannot be used in combination with either `--auth--user` or `--auth-pass`. |
+
+### rl-scan-purl
+
+Additional parameters for `rl-scan-purl`
+
+| Parameter        | Description |
+| --------------   | ------------ |
+| `--import-purl`  | The purl (package URL) of the software package you want to download and scan, in the format `pkg:<type>`/<item>. Supported package types: `npm`, `gem`, `pypi`, `vsx`, `nuget`. The item specified will be downloaded from Spectra Assure Community (secure.software). |
+| `--auth-user`    | Optional. If the URL uses `basic authentication` specify the `user` with this parameter. Cannot be used in combination with `--bearer-token`. |
+| `--auth-pass`    | Optional. If the URL uses `basic authentication` specify the `password` with this parameter.  Cannot be used in combination with `--bearer-token`. |
+| `--bearer-token` | Optional. If the URL uses `token authentication` specicy the `token` with this parameter. Cannot be used in combination with either `--auth--user` or `--auth-pass`. |
+
+
 <!-- 2025-07-03; Spectra Assure CLI 2.8.2 has been released; rl-scanner v3.6.2 -->
 <!-- 2025-07-17; Spectra Assure CLI 2.9.0 has been released; rl-scanner v3.7.0 -->
 <!-- 2025-07-31; Spectra Assure CLI 3.0.0 has been released; rl-scanner v3.8.0 -->
+<!-- 2025-08-14; Spectra Assure CLI 3.0.1 has been released; rl-scanner v3.8.1 -->

scripts/cimessages.py

@@ -13,14 +13,26 @@ def create(cls, name: str) -> Any:
             return TeamCityMesages()
         return TextMessages()
 
+    # Public Abstract
+    @contextmanager
+    def progress_block(self, msg: str) -> Any:
+        raise RuntimeError("Abstract: must be defined in subclass")
+
+    def info(self, msg: str) -> None:
+        raise RuntimeError("Abstract: must be defined in subclass")
+
+    def scan_result(self, passed: bool, msg: str) -> bool:
+        raise RuntimeError("Abstract: must be defined in subclass")
+
 
 class TextMessages(Messages):
-    def block_start(self, msg: str) -> None:
+    def _block_start(self, msg: str) -> None:
         print(f"Started: {msg}", flush=True)
 
-    def block_end(self, msg: str) -> None:
+    def _block_end(self, msg: str) -> None:
         print(f"Finished: {msg}", flush=True)
 
+    # Public
     def info(self, msg: str) -> None:
         print(f"Info: {msg}", flush=True)
 
@@ -33,49 +45,50 @@ def scan_result(self, passed: bool, msg: str) -> bool:
 
     @contextmanager
     def progress_block(self, msg: str) -> Any:
-        self.block_start(msg)
+        self._block_start(msg)
         yield
-        self.block_end(msg)
+        self._block_end(msg)
 
 
 class TeamCityMesages(Messages):
     @classmethod
-    def service_message(cls, name: str, msg: Any) -> str:
-        def escape(msg: str) -> str:
+    def _service_message(cls, name: str, msg: Any) -> str:
+        def _escape(msg: str) -> str:
             escape_map: Dict[str, str] = {"'": "|'", "|": "||", "\n": "|n", "\r": "|r", "[": "|[", "]": "|]"}
             return "".join(escape_map.get(x, x) for x in msg)
 
         if isinstance(msg, dict):
-            msg_content: List[str] = [f"{k}='{escape(v)}'" for k, v in msg.items()]
+            msg_content: List[str] = [f"{k}='{_escape(v)}'" for k, v in msg.items()]
             return f"##teamcity[{name} {' '.join(msg_content)}]"
-        return f"##teamcity[{name} '{escape(msg)}']"
+        return f"##teamcity[{name} '{_escape(msg)}']"
 
-    def block_start(self, msg: str) -> None:
-        print(TeamCityMesages.service_message("progressStart", msg), flush=True)
-        print(TeamCityMesages.service_message("blockOpened", {"name": msg}), flush=True)
+    def _block_start(self, msg: str) -> None:
+        print(TeamCityMesages._service_message("progressStart", msg), flush=True)
+        print(TeamCityMesages._service_message("blockOpened", {"name": msg}), flush=True)
 
-    def block_end(self, msg: str) -> None:
-        print(TeamCityMesages.service_message("blockClosed", {"name": msg}), flush=True)
-        print(TeamCityMesages.service_message("progressFinish", msg), flush=True)
+    def _block_end(self, msg: str) -> None:
+        print(TeamCityMesages._service_message("blockClosed", {"name": msg}), flush=True)
+        print(TeamCityMesages._service_message("progressFinish", msg), flush=True)
 
-    def __build_problem(self, msg: str) -> None:
-        print(TeamCityMesages.service_message("buildProblem", {"description": msg}), flush=True)
+    def _build_problem(self, msg: str) -> None:
+        print(TeamCityMesages._service_message("buildProblem", {"description": msg}), flush=True)
 
-    def __build_status(self, msg: str) -> None:
-        print(TeamCityMesages.service_message("buildStatus", {"text": msg}), flush=True)
+    def _build_status(self, msg: str) -> None:
+        print(TeamCityMesages._service_message("buildStatus", {"text": msg}), flush=True)
 
+    # Public
     def info(self, msg: str) -> None:
-        print(TeamCityMesages.service_message("message", {"text": msg}), flush=True)
+        print(TeamCityMesages._service_message("message", {"text": msg}), flush=True)
 
     def scan_result(self, passed: bool, msg: str) -> bool:
         if passed:
-            self.__build_status("Scan result: PASS")
+            self._build_status("Scan result: PASS")
         else:
-            self.__build_problem(f"Scan result: {msg}... FAIL")
+            self._build_problem(f"Scan result: {msg}... FAIL")
         return False
 
     @contextmanager
     def progress_block(self, msg: str) -> Any:
-        self.block_start(msg)
+        self._block_start(msg)
         yield
-        self.block_end(msg)
+        self._block_end(msg)

scripts/constants.py

@@ -0,0 +1,56 @@
+import os
+from typing import (
+    Dict,
+    List,
+    Optional,
+)
+
+REPORT_FORMATS: Dict[str, str] = {  # https://docs.secure.software/api-reference/#tag/Version/operation/getVersionReport
+    "cyclonedx": "report.cyclonedx.json",
+    "sarif": "report.sarif.json",
+    "spdx": "report.spdx.json",
+    "rl-checks": "report.checks.json",
+    "rl-cve": "report.cve.csv",
+    "rl-json": "report.rl.json",
+    "rl-summary-pdf": "report.summary.pdf",
+    "rl-uri": "report.uri.csv",
+}
+
+# not all report types are supported in pack/rl-safe
+RL_SAFE_FORMAT_LIST: List[str] = [
+    "cyclonedx",
+    "sarif",
+    "spdx",
+    "rl-cve",
+    "rl-uri",
+    "all",
+]
+
+_DEV: bool = os.getenv("ENVIRONMENT", "") == "DEVELOPMENT"
+
+SCANNER_COMMANDS: List[str] = [
+    "rl-prune",
+    "rl-scan",
+    "rl-scan-url",
+    "rl-scan-purl",
+    # "rl-scan-docker",
+]
+
+VALID_PURL_TYPES: List[str] = [
+    "pkg:npm/",
+    "pkg:pypi/",
+    "pkg:gem/",
+    "pkg:nuget/",
+    "pkg:vsx/",
+]
+
+TMP_DIR: str = "/tmp"
+
+CACHE_LOCATION: str = f"{TMP_DIR}/rl-secure.cache"
+INSTALL_LOCATION: str = f"{TMP_DIR}/__rlsecure"
+RLREPORT_LOCATION: str = f"{TMP_DIR}/__rlsecure-report"
+RLSTORE: str = f"{TMP_DIR}/__rlstore"
+
+VAULT_KEY: Optional[str] = None
+
+EXIT_FATAL: int = 101