Quickstart

Uploading your first SBOM

Welcome to Manifest! As you might have guessed, the first step towards using Manifest is uploading an SBOM.

Manifest makes uploading SBOMs easy, through a variety of approaches. The fastest way to get started to manually upload (or drag-and-drop) an SBOM on Manifest's Uploads page.

If you don't already have an SBOM, you can Download a Sample SBOM

To import this SBOM into Manifest:

1. Go to the Uploads page at the bottom of the left-hand navigation menu.
2. Drag and drop your CycloneDX or SPDX SBOM in JSON format into the dropzone at the top of the screen.
3. Once the SBOM has finished processing, it will appear in the table. Click on the name of your uploaded SBOM in the Uploaded table below the drop zone.

☝️

Depending on the size of the SBOM, it may take a minute or two for the upload and scanning to complete.

Viewing an Asset

Now that you've uploaded your first SBOM, it's time to start learning what is in it. After clicking on the SBOM's name in the Uploaded table described in the previous step.

The Asset details gives you an overview of the content of your SBOM. There are five tabs at the top of the Asset Details page: Risk Overview, Vulnerabilities, Components, Versions, and About. You can also view any tickets created related to the asset and can download the asset's raw or modified SBOM and a variety of reports related to the asset.

Risk Overview

The Risk Overview tab gives you the information you'd expect. It shows the overall risk score, determined by the number and type of vulnerabilities as well as any problematic licenses associated with the components of the SBOM. Problematic licenses are defined as those with copyleft implications that pose intellectual property risks for your organization. The Risk Overview tab also shows you the top ten riskiest components present within the asset, especially those on CISA's KEV list and those we recommend be mitigated immediately.

Vulnerabilities

The Vulnerabilities tab shows you all of the vulnerabilities matched to the components of the asset. Manifest pulls this information via integrations with the National Vulnerability Database (NVD), Google's Open Source Vulnerability Database (OSV), which itself is aggregation of 15 separate datasources, CISA's Known Exploited Vulnerabilities (KEV) catalog, and exploitability context from FIRST.org's Exploit Prediction Scoring System (EPSS). In this view, you can also see whether colleagues have already triaged these vulnerabilities to reflect their current status.

Components

The components tab lists every component (i.e. dependency, open-source library, etc.) present within a given asset. You will see the key data for each component, including name, version, and the license information for each component present within the SBOM.

Versions

Manifest stores each new version of the asset and displays them in the Versions tab. Users can mark versions of the asset that are no longer active as inactive, which is reflected in the the version list. Clicking on the name of an asset version takes you to the asset view of that version. This view also allows you to see trends with vulnerabilities across each version of the asset.

About

The About tab displays any other information about the asset and the SBOM associated with it. In this view you can also download either the original or the modified SBOM.

---

Learning about Vulnerabilities

You can view more detailed information about a vulnerability by clicking its name in the Vulnerabilities tab.

Clicking the name will take you to the Vulnerabilities page entry for that vulnerability. This view shows you the extent of that vulnerability's impact across your entire organization, not only for the original asset.

In this view you can see the vulnerability's name from NVD and its aliases from other datasources. It also provides key information like the severity score, exploitability context, presence on the KEV list, dates it was published and first-seen in your organization, and a description of the nature of the vulnerability. You will also see the assets impacted by the vulnerability within your organization, products impacted, and the specific components affected by the vulnerability. Other data, like fix information, is included if it's available from the vulnerability datasource. You can also download reports summarizing the impact of the vulnerability and create or view tickets created by your organization related to the vulnerability.