Supported vulnerability scan formats
Generate a vulnerability scan file to assess CVEs and exposures across your application lifecycle in the following formats. Then, you can upload the file to Concert to assess and prioritize vulnerabilities impacting your applications and environments.
File type | Scan source | File format |
---|---|---|
Vulnerability scan (image) | Prisma Cloud | CSV, XLS, XLSX, JSON |
Sysdig | CSV, XLS, XLSX | |
Aqua Security | JSON | |
Syft | JSON | |
Trivy | JSON | |
Grype | JSON | |
Others1 | CSV, XLS, XLSX | |
Vulnerability scan (source code) | Mend | CSV, XLS, XLSX |
Syft | JSON | |
Trivy | JSON | |
Grype | JSON | |
Others1 | CSV, XLS, XLSX | |
Vulnerability scan (virtual machine) | Qualys (only for runtime CVEs) | CSV, XLS, XLSX |
Others1 | CSV, XLS, XLSX |
File type | Scan source | File format |
---|---|---|
Dynamic scan2 | Zap | JSON |
Others1 | CSV, XLS, XLSX | |
Static scan3 | Concert | JSON, CSV |
SonarQube | JSON, CSV |
- 1Others: Custom Concert vulnerability scan format
- 2Dynamic scan required Environment and Access point name of the application.
- 3Static scan required Repository name and Repository URL of the source code.
Format: Custom Concert vulnerability scan (CSV, XLS, XLSX)
-
Vulnerability scan (image)
Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Image scan sample
Table 3. Properties of a custom Vulnerability scan (image) report in CSV format Header properties Values Attention: All headers must be included in the output file, even if there is no corresponding value.CVE (Value required) Unique name or identifier of the CVE Image (Value required) Name of the Docker image Package Name of the package within the environment Package Version Version of the package Package Path Indicates the file path within the environment directory where the package file is stored severity Indicates the severity of the vulnerability (critical, important, high, moderate, low) Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities hasFix Y/N based on whether it already has a fix Fixed Version Package fix version Description Description of the CVE Tag Name of the Docker image tag Digest Name of the Docker image digest -
Vulnerability scan (source code)
Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Code scan sample
Table 4. Properties of a custom Vulnerability scan (source code) report in CSV format Header properties Values Attention: All headers must be included in the output file, even if there is no corresponding value.CVE (Value required) Unique name or identifier of the CVE Repository URL (Value required) URL of the repository Repository Name Name of the repository Package Name of the package within the environment Package Version Version of the package Package Path Indicates the file path within the environment directory where the package file is stored severity Indicates the severity of the vulnerability (critical, important, high, moderate, low) Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities hasFix Y/N based on whether it already has a fix Fixed Version Package fix version Description Description of the CVE Commit Commit in the repository Branch Branch in the repository -
Vulnerability scan (virtual machine)
Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom VM scan sample
Table 5. Properties of a custom vulnerability Vulnerability scan (virtual machine) report in CSV format Header properties Values Attention: All headers must be included in the output file, even if there is no corresponding value.CVE (Value required) Unique name or identifier of the CVE Host IPAddress (Value required) IP Address of the host Host Name Name of the host Package Name of the package within the environment Package Version Version of the package Package Path Indicates the file path within the environment directory where the package file is stored severity Indicates the severity of the vulnerability (critical, important, high, moderate, low) Score Common Vulnerability Scoring System (CVSS) score to prioritize security vulnerabilities hasFix Y/N based on whether it already has a fix Fixed Version Package fix version Description Description of the CVE -
Exposure Dynamic scan/Static scan
Refer to the custom vulnerability scan template (CSV format) on the public Concert GitHub repository: Custom Dynamic scan sample and Custom Static scan sample
Table 6. Properties of a custom Vulnerability scan for Exposure (Dynamic scan/Static scan) report in CSV format Header properties Values Attention: All headers must be included in the output file, even if there is no corresponding value.rule id (Value required) The identifier of the rule that was violated file location (Value required) Location of the file Severity The level of severity for a particular record line no Code line number where the issue detected status Status of the issue issue description Description of the issue first seen time The time at which the result was first detected last seen time The time at which the result was last detected solution Solution of the issue cwe id A unique identifier for a software or hardware weakness type tool name The name of the tool that produced the run issue type Type of the issue score Score that indicates the level of severity
Format: Vulnerability Disclosure Report (VDR) in CycloneDX (JSON)
Syft, Trivy, Grype are the Concert supported vulnerability scanning tools to generate Vulnerability Disclosure Report (VDR) file in CycloneDX format as JSON. A Vulnerability Disclosure Report (VDR) contains information about vulnerabilities, including those inherited from third-party and open source software, as well as previously unknown vulnerabilities impacting your application components and services.
Vulnerability Disclosure Reports are defined in the NIST SP 800-161 publication as a best practice for vulnerability scanning. The files include details about the impact of a reported vulnerability on an application component or product as well as remediation steps. Concert supports the CycloneDX specification that aligns with all NIST recommendations for VDR files. Refer to this CycloneDX GitHub repository for details.
Refer to the CycloneDX vulnerability scan template (VDR format) on the public Concert GitHub repository: Image Scan CycloneDX sample
{
"metadata": {
"component": {
"name": "<image_name>"
}
},
"vulnerabilities": [
{
"id": "<CVE_name>",
"affects": [
{
"ref": "<package_reference>”
}
]
}
]
}
<image_name>
, <CVE_name>
, and the
<package_reference>
fields are required, whereas other fields that can be
included in the VDR file are optional. The following example includes several optional fields, such
as the <package_name>
, <package_version>
, and others.
{
"metadata": {
"component": {
"name": "<image_name>"
}
},
"components": [
{
"bom-ref": "<package_reference>",
"name": "<package_name>",
"version": "<package_version>"
}
],
"vulnerabilities": [
{
"id": "<cve_name>",
"ratings": [
{
"score": "<score>",
"severity": "<severity>"
}
],
"description": "<description>",
"affects": [
{
"ref": "<package_reference>"
}
]
}
]
}
Format: Prisma Cloud vulnerability scan report (CSV, XLS, XLSX, JSON)
- CSV format: Image scan Prisma Cloud sample_CSV
- JSON format: Image scan Prisma Cloud sample_JSON
Format: Sysdig vulnerability scan report (CSV, XLS, XLSX)
Refer to the Sysdig vulnerability scan template (CSV format) on the public Concert GitHub repository: Image scan Sysdig sample
Format: Aqua Security vulnerability scan report (JSON)
Refer to the Aqua Security vulnerability scan template on the public Concert GitHub repository: Image scan Aqua Security sample
Format: Qualys vulnerability scan report (CSV, XLS, XLSX)
- Concert only supports the Qualys format for runtime CVEs. This means that Concert only supports a specific header structure for any CVEs or vulnerabilities that are reported against a VM or host.
- You do not need to edit the generated file. Concert ingests the data as-is.
Refer to the Qualys vulnerability scan template (CSV format) on the public Concert GitHub repository: VM scan Qualys sample
Format: Mend vulnerability scan report (CSV, XLS, XLSX)
- You do not need to edit the generated file. Concert ingests the data as-is.
Refer to the Mend vulnerability scan template (XLSX format) on the public Concert GitHub repository: Mend scan sample
Format: Dynamic Application Security Testing vulnerability scan report (JSON) for Dynamic scan
Refer to the Dynamic Application Security Testing vulnerability scan template on the public Concert GitHub repository: DAST JSON sample
Format: Static Application Security Testing vulnerability scan report (JSON) for Static scan
Refer to the Static Application Security Testing vulnerability scan template on the public Concert GitHub repository: SAST JSON samples
Concert supports the scan report from SonarQube for the exposures static scan.
Refer to the SonarQube vulnerability scan template (CSV format) on the public Concert GitHub repository: SonarQube sample