Using the Concert toolkit

Concert provides a comprehensive view of your application landscape based on data ingested from uploaded SBOM files or by integrating with your organization's third-party tools and services. The Concert toolkit simplifies the process for generating, validating, and uploading SBOM files in the supported formats. The toolkit includes a set of utilities that streamline common tasks, such as a script to automate SBOM data ingestion and vulnerability scans through integration with your CI/CD pipeline. Refer to the following folders to access required resources for the Concert toolkit and utilities:

• Concert sample
• Concert utilities

You can use the toolkit and utilities to perform the following tasks:

• Generate a package SBOM in CycloneDX format from code repositories using the cdxgen tool, or container images using the syft tool.
• Validate package SBOM files using the sbom-utility tool.
• Generate an application, build, and deploy SBOM files in a custom Concert-defined format.
• Validate a Concert-defined SBOM file.
• Generate a certificate inventory file in a custom Concert-defined format.
• Convert CSV/XLSX files to OSCAL catalog JSON files.
• Upload SBOM files and vulnerability scans to Concert.

The Concert toolkit is available in the publicly accessible IBM Cloud Container Registry (icr.io), and can be downloaded using a container runtime such as Docker or Podman. You can set the TOOLKIT_IMAGE environment variable for later use as well. For example:

export TOOLKIT_IMAGE="icr.io/cpopen/ibm-concert-toolkit:v1.1.0"
docker pull ${TOOLKIT_IMAGE}

If you use the code-scan, export the variable HOST_DIR_SRC_CODE. Replace in the export command with the path to the source code directory to allow the container to access the code located in the directory /data/src.

export HOST_DIR_SRC_CODE=<HOST-DIR-SRC-CODE>

To provide the toolkit with the necessary input files and access files the toolkit generates, a directory on the host system needs to be selected to mount inside the container. This is required by all the utilities. To export the variable HOST_DIR_TOOLKIT_DATA, use the following command. You can replace the original directory in the export command with any arbitrary directory on the host machine that you want to use for this. Verify that the directory has all read, write, and execute rights (this can be achieved by running chmod 777 ${HOST_DIR_TOOLKIT_DATA}).

export HOST_DIR_TOOLKIT_DATA=<HOST-DIR-TOOLKIT-DATA>

Use the following command to export the toolkit prefix command to an environment variable TOOLKIT_PREFIX_CMD. Use this variable to run subsequent toolkit commands.

export TOOLKIT_PREFIX_CMD="docker run \
  -v ${HOST_DIR_SRC_CODE}:/data/src \
  -v ${HOST_DIR_TOOLKIT_DATA}:/toolkit-data \
  --rm \
  ${TOOLKIT_IMAGE} \
  /bin/bash -c"

• -v ${HOST_DIR_SRC_CODE}:/data/src mounts the source code directory from the host into the container. This is only necessary for the code-scan utility to scan the source code.
• -v ${HOST_DIR_TOOLKIT_DATA}:/toolkit-data mounts the host machine's directory from variable ${HOST_DIR_TOOLKIT_DATA} into the container's /toolkit-data directory. /toolkit-data is the required directory in the container.
• --rm is used to remove the container after it exits. This is not required, but generally considered a best practice to clean up space.
• ${TOOLKIT_IMAGE} is the variable containing image name and tag of the toolkit container in the public IBM Cloud Container Registry.
• /bin/bash -c runs the designated command in the container by using bash. Ensure everything after -c is enclosed in double quotation marks. Refer to Examples.