Supported vulnerability scan formats

Generate a vulnerability scan file to assess CVEs and exposures across your application lifecycle in the following formats. Then, you can upload the file to Concert to assess and prioritize vulnerabilities impacting your applications and environments.

The following are the different types of Vulnerability scans supported by Concert:
Table 1. Types of CVE scans
File type Scan source File format
Vulnerability scan (image) Prisma Cloud CSV, XLS, XLSX, JSON
Sysdig CSV, XLS, XLSX
Aqua Security JSON
Syft JSON
Trivy JSON
Grype JSON
Others1 CSV, XLS, XLSX
Vulnerability scan (source code) Mend CSV, XLS, XLSX
Syft JSON
Trivy JSON
Grype JSON
Others1 CSV, XLS, XLSX
Vulnerability scan (virtual machine) Qualys (only for runtime CVEs) CSV, XLS, XLSX
Others1 CSV, XLS, XLSX
Table 2. Supported non-CVE exposure scan types
File type Scan source File format
Dynamic scan2 Zap JSON
Others1 CSV, XLS, XLSX
Static scan3 Concert JSON, CSV
SonarQube JSON, CSV
  • 1Others: Custom Concert vulnerability scan format
  • 2Dynamic scan required Environment and Access point name of the application.
  • 3Static scan required Repository name and Repository URL of the source code.
Note: Concert UI supports uploading files with sizes less than 2 MB. Use the API option to upload files with a size larger than 2 MB.

Format: Custom Concert vulnerability scan (CSV, XLS, XLSX)

Note: Vulnerability scan must adhere to the Concert-specific vulnerability scan format if using a tool other than Concert supported tools.
Attention: All header properties in the following tables must be present in the vulnerability scan CSV, even if there is no associated value. Values are only required for the Header properties added as Value required, but all properties must be included in the header row.
  • Vulnerability scan (image)

    Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Image scan sample

    Table 3. Properties of a custom Vulnerability scan (image) report in CSV format
    Header properties Values
    Attention: All headers must be included in the output file, even if there is no corresponding value.
    CVE (Value required) Unique name or identifier of the CVE
    Image (Value required) Name of the Docker image
    Package Name of the package within the environment
    Package Version Version of the package
    Package Path Indicates the file path within the environment directory where the package file is stored
    severity Indicates the severity of the vulnerability (critical, important, high, moderate, low)
    Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities
    hasFix Y/N based on whether it already has a fix
    Fixed Version Package fix version
    Description Description of the CVE
    Tag Name of the Docker image tag
    Digest Name of the Docker image digest
  • Vulnerability scan (source code)

    Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Code scan sample

    Table 4. Properties of a custom Vulnerability scan (source code) report in CSV format
    Header properties Values
    Attention: All headers must be included in the output file, even if there is no corresponding value.
    CVE (Value required) Unique name or identifier of the CVE
    Repository URL (Value required) URL of the repository
    Repository Name Name of the repository
    Package Name of the package within the environment
    Package Version Version of the package
    Package Path Indicates the file path within the environment directory where the package file is stored
    severity Indicates the severity of the vulnerability (critical, important, high, moderate, low)
    Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities
    hasFix Y/N based on whether it already has a fix
    Fixed Version Package fix version
    Description Description of the CVE
    Commit Commit in the repository
    Branch Branch in the repository
  • Vulnerability scan (virtual machine)

    Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom VM scan sample

    Table 5. Properties of a custom vulnerability Vulnerability scan (virtual machine) report in CSV format
    Header properties Values
    Attention: All headers must be included in the output file, even if there is no corresponding value.
    CVE (Value required) Unique name or identifier of the CVE
    Host IPAddress (Value required) IP Address of the host
    Host Name Name of the host
    Package Name of the package within the environment
    Package Version Version of the package
    Package Path Indicates the file path within the environment directory where the package file is stored
    severity Indicates the severity of the vulnerability (critical, important, high, moderate, low)
    Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities
    hasFix Y/N based on whether it already has a fix
    Fixed Version Package fix version
    Description Description of the CVE
  • Exposure Dynamic scan/Static scan

    Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Dynamic scan sample and Custom Static scan sample

    Table 6. Properties of a custom Vulnerability scan for Exposure (Dynamic scan/Static scan) report in CSV format
    Header properties Values
    Attention: All headers must be included in the output file, even if there is no corresponding value.
    rule id (Value required) The identifier of the rule that was violated
    file location (Value required) Location of the file
    Severity The level of severity for a particular record
    line no Code line number where the issue detected
    status Status of the issue
    issue description Description of the issue
    first seen time The time at which the result was first detected
    last seen time The time at which the result was last detected
    solution Solution of the issue
    cwe id A unique identifier for a software or hardware weakness type
    tool name The name of the tool that produced the run
    issue type Type of the issue
    score Score that indicates the level of severity

Format: Vulnerability Disclosure Report (VDR) in CycloneDX (JSON)

Syft, Trivy, Grype are the Concert supported vulnerability scanning tools to generate Vulnerability Disclosure Report (VDR) file in CycloneDX format as JSON. A Vulnerability Disclosure Report (VDR) contains information about vulnerabilities, including those inherited from third-party and open source software, as well as previously unknown vulnerabilities impacting your application components and services.

Vulnerability Disclosure Reports are defined in the NIST SP 800-161 publication as a best practice for vulnerability scanning. The files include details about the impact of a reported vulnerability on an application component or product as well as remediation steps. Concert supports the CycloneDX specification that aligns with all NIST recommendations for VDR files. Refer to this CycloneDX GitHub repository for details.

Refer to the CycloneDX vulnerability scan template (VDR format) on the public Concert GitHub repository: Image Scan CycloneDX sample

The VDR file must adhere to the CycloneDX schema definition and, at a minimum, include the following required fields:
{
  "metadata": {
    "component": {
      "name": "<image_name>"
    }
  },
  "vulnerabilities": [
    {
      "id": "<CVE_name>",
      "affects": [
        {
          "ref": "<package_reference>”
        }
      ]
    }
  ]
}

<image_name>, <CVE_name>, and the <package_reference> fields are required, whereas other fields that can be included in the VDR file are optional. The following example includes several optional fields, such as the <package_name>, <package_version>, and others.

{
  "metadata": {
    "component": {
      "name": "<image_name>"
    }
  },
  "components": [
    {
      "bom-ref": "<package_reference>",
      "name": "<package_name>",
      "version": "<package_version>"
    }
  ],
  "vulnerabilities": [
    {
      "id": "<cve_name>",
      "ratings": [
        {
          "score": "<score>",
          "severity": "<severity>"
        }
      ],
      "description": "<description>",
      "affects": [
        {
          "ref": "<package_reference>"
        }
      ]
    }
  ]
}
Note: Do not edit a generated CycloneDX file. Vulnerability assessments are not processed successfully if the CycloneDX file is incorrectly modified.

Format: Prisma Cloud vulnerability scan report (CSV, XLS, XLSX, JSON)

Similar to the Concert-specific format, you can use the Prisma Cloud tool to generate a vulnerability scan report in CSV, XLS, XLSX, or JSON format. Then, you can upload the generated file to Concert to assess CVE vulnerabilities reported against a container image.
Note: You do not need to edit the generated file. Concert ingests the data as-is.
Refer to the Prisma Cloud vulnerability scan template on the public Concert GitHub repository:

Format: Sysdig vulnerability scan report (CSV, XLS, XLSX)

You can use the Sysdig tool to generate a vulnerability scan report in CSV, XLS, XLSX format. Then, you can upload the generated file to Concert to assess CVE vulnerabilities reported against a container image.
Note: You do not need to edit the generated file. Concert ingests the data as-is.

Refer to the Sysdig vulnerability scan template (CSV format) on the public Concert GitHub repository: Image scan Sysdig sample

Format: Aqua Security vulnerability scan report (JSON)

You can use the Aqua Security tool to generate a vulnerability scan report in JSON format. Then, you can upload the generated file to Concert to assess CVE vulnerabilities reported against a container image.
Note: You do not need to edit the generated file. Concert ingests the data as-is.

Refer to the Aqua Security vulnerability scan template on the public Concert GitHub repository: Image scan Aqua Security sample

Format: Qualys vulnerability scan report (CSV, XLS, XLSX)

You can use the Qualys tool to generate a vulnerability scan report in CSV, XLS, XLSX format. Then, you can upload the generated file to Concert to assess runtime CVEs reported against a virtual machine (VM) or host.
Note:
  • Concert only supports the Qualys format for runtime CVEs. This means that Concert only supports a specific header structure for any CVEs or vulnerabilities that are reported against a VM or host.
  • You do not need to edit the generated file. Concert ingests the data as-is.

Refer to the Qualys vulnerability scan template (CSV format) on the public Concert GitHub repository: VM scan Qualys sample

Format: Mend vulnerability scan report (CSV, XLS, XLSX)

You can use the Mend tool to generate a vulnerability scan report in CSV, XLS, XLSX format. Then, you can upload the generated file to Concert to assess runtime CVEs reported against a source code.
Note:
  • You do not need to edit the generated file. Concert ingests the data as-is.

Refer to the Mend vulnerability scan template (XLSX format) on the public Concert GitHub repository: Mend scan sample

Format: Dynamic Application Security Testing vulnerability scan report (JSON) for Dynamic scan

You can use the Dynamic Application Security Testing (DAST) tools, for example, Zap or Zed Attack Proxy tool to generate a vulnerability scan report in JSON format. Then, you can upload the generated file to Concert as a Dynamic scan to assess the non-CVE exposures associated with your web application.
Note: You do not need to edit the generated file. Concert ingests the data as-is.

Refer to the Dynamic Application Security Testing vulnerability scan template on the public Concert GitHub repository: DAST JSON sample

Format: Static Application Security Testing vulnerability scan report (JSON) for Static scan

You can use the Static Application Security Testing (SAST) tool to generate the Static Analysis Results Interchange Format (SARIF) data. Then, you can upload the generated SARIF file as JSON to Concert as a Static scan to assess non-CVE exposures associated with your source code repository.
Note: You do not need to edit the generated file. Concert ingests the data as-is in JSON format.

Refer to the Static Application Security Testing vulnerability scan template on the public Concert GitHub repository: SAST JSON samples

Concert supports the scan report from SonarQube for the exposures static scan.

Refer to the SonarQube vulnerability scan template (CSV format) on the public Concert GitHub repository: SonarQube sample