Comparing ingested files
The Evidence store contains a historical changelog of ingested data, such as SBOM files, vulnerability scans, and compliance assessments.
Go to .
- Total number of evidence files based on the selected date range.
- Date range by which to filter evidence files.
- Hover over the line chart to details about the ingested files, which are organized by type.
- Select the data type to filter the results.
- Search and view a list of ingested files.
Note: The Evidence Store does not support viewing or comparing files in the XLS or XLSX
formats.
Note: Data that is ingested directly from connected third-party integrations are not included in the
Evidence store. Only SBOM files uploaded
through the UI or API, or using the toolkit appear.
| Evidence data types | Description |
|---|---|
| Configuration file | A configuration file (ConfigMap) generated by automatic data ingestion jobs that pull data from third-party tools into Concert. |
| Application SBOM | An application SBOM (JSON) file in the Concert-defined (ConcertDef) format. It contains a high-level view of the intended structure of an application, including its components, libraries, and other dependencies. |
| Build SBOM | A build SBOM (JSON) file in the Concert-defined (ConcertDef) format. It describes the build process and the dependencies and configurations that are used during the build. |
| Deploy SBOM | A deploy SBOM (JSON) file in the Concert-defined (ConcertDef) format. This SBOM type describes the configuration and setup of the application for deployment, including environment variables, network settings, and runtime configurations. |
| Package SBOM | A package SBOM (JSON) file in CycloneDX format. This SBOM type contains a manifest of the application packaging and distribution, including the package version and licenses. It also contains third-party libraries and components present in the package. |
| Compliance assessment | A compliance scan (JSON) file in OSCAL format. It contains information about the compliance of your applications and environments, along with recommendations for remediation and mitigation strategies. |
| Certificate | A ConcertDef SBOM (JSON) or a custom CSV format containing information about your organization's certificates to track expiring certificates and expedite mitigation. |
| Image scan | Vulnerability image scan file in CSV, XLS, XLSX, or tool-specific JSON file formats or as a VDR file in CycloneDX format. Refer to the Supported vulnerability scan formats for more information. |
| VM scan | Vulnerability virtual machine scan file in CSV, XLS, or XLSX format. Refer to the Supported vulnerability scan formats for more information. |
| Code scan | Vulnerability source code scan file in CSV, XLS, XLSX, or tool-specific JSON file formats or as a VDR file in CycloneDX format. Refer to the Supported vulnerability scan formats for more information. |
| Static code scan | It includes the non-CVE exposure Static code scan (SAST) files in the CSV, XLSX, XLS, or tool-specific JSON file formats. Refer to the Supported vulnerability scan formats for more information. |
| Dynamic scan | It includes the non-CVE exposure Dynamic scan (DAST) files in the CSV, XLSX, XLS, or tool-specific JSON file formats. Refer to the Supported vulnerability scan formats for more information. |
Note: Custom data type evidence uploads are not supported in Evidence
store access control search.
Select the checkbox next to two of the files in the
list, and click Compare to view a side-by-side comparison of two files to see
changes.
Alternatively, you can access application-specific evidence from the details page.
- Go to .
- Click the name of the application to view details.
- Click the Overview tab to view a list of SBOM files associated with the selected application.
- Select the check boxes next to two of the files.
- Click Compare to view a line-by-line comparison of differences or changes over time.
Note: Due to a known limitation, comparing files exceeding 1 MB is not supported.