Guides

Enriching SBOMs

SBOM quality varies significantly across generators, and many SBOMs lack important metadata needed for accurate vulnerability matching and risk assessment. The Manifest Platform automatically enriches SBOMs at upload time, pulling data from multiple sources to add missing identifiers and metadata.

During enrichment, the platform:

  • Generates missing package URLs (PURLs) and Common Platform Enumerations (CPEs) by detecting component ecosystems
  • Fixes existing inaccurate package identifiers
  • Adds and normalizes metadata including licenses, descriptions, supplier information, supplier locations, version control system (VCS) URLs, hashes, release dates, and end-of-life and end-of-support status
  • Expands vulnerability identification support for Nix-based packages

Accurate PURLs and CPEs are the foundation of precise vulnerability matching. Supplier attribution helps distinguish similarly named packages, validate provenance, and route remediation to the right owner or vendor. License data supports compliance, policy enforcement, and third-party risk decisions. Together, these improvements reduce false positives and help avoid false negatives, which reduces triage effort for security teams.

Supported upload methods

Enrichment applies to SBOMs uploaded via:

  • The Manifest Platform UI (manual upload)
  • The GitHub App
  • Binary Scans
  • Import OSS

Note: Enrichment does not apply to OSSRA uploads.

Enrich an SBOM during upload

SBOMs are enriched during upload. When uploading an SBOM manually, you will be prompted with an upload settings pop-up. Check Enrich SBOMs to apply enrichment to that upload.

Enable enrichment by default

To automatically enrich all SBOMs on upload:

  1. Go to Settings, then select the Upload Settings tab.
  2. Set Enrich SBOMs by default to On.

What to expect

After enrichment completes, the platform displays a summary of what was added to your SBOM. Enriched fields include:

  • PURLs
  • CPEs
  • Authors
  • Licenses
  • End-of-support status
  • Level of support
  • Descriptions
  • Supplier locations

These improvements enable more precise vulnerability matching and support policy enforcement across your software inventory.

Click on any asset after enrichment has occurred to see the data we enriched.

Note the following after enrichment:

  • A note appears on the About tab of the Asset details page confirming the SBOM was enriched.
  • A new copy of the enriched SBOM is saved in the platform alongside the original. To download the original, go to the Asset, click the About tab, scroll to the bottom left, and click Download Original SBOM.

Related docs

Updated 6 days ago