Generating ConcertDef SBOMs
To build your application topology, you can generate and import three SBOM files using the custom ConcertDef (Concert-defined) schema containing details about your application components and dependencies.
The
ConcertDef JSON schema represents the
Concert-defined data model to generate a 360-degree topological view of your applications and
environments. The schema contains a subset of application component-type extensions, including a
properties object with details about the change to the CI/CD pipeline. Three types
of SBOM files can be formatted using this schema:- Application (pre-build) SBOM - Contains the selection criteria for in-scope build inventories and deployment environments. This SBOM type represents the complete software application, including its source code, dependencies, and configurations.
- Build SBOM - Captures evidence data for a specific container image and the code repository used during the software build process, including the compilation tools, build scripts, and dependencies. It helps identify any discrepancies between the expected and actual build environments.
- Deploy SBOM - Captures evidence data for a specific Kubernetes cluster and the container images deployed to it. This SBOM focuses on the configuration and setup of the software application for deployment, including the specific environment, runtime, and dependencies required for the application to function correctly.
The ConcertDef schema is a derivative of CycloneDX SBOM schema version 1.5. Concert-defined SBOMs can be generated using the Concert toolkit or custom scripts, such as Jenkins or ArgoCD, and then uploaded to Concert manually or automatically through the CI/CD pipeline (recommended).
For additional information and resources, refer to the ConcertDef Developer Guide on the Concert GitHub repository.
You can use the Concert toolkit to automatically generate and upload an SBOM file in one of the Concert-defined (ConcertDef) formats.