Product and Vulnerability Sharing

The Manifest Platform lets you export and import software bill of materials (SBOM) and vulnerability disclosure report (VDR) documents at the product level. Unlike asset-scoped exports, product-level exports preserve the full hierarchy of your product, including sub-products and underlying assets, so the structure and relationships remain intact when shared or re-imported.

This is useful for sharing security posture with customers, auditors, and regulators, and for exchanging structured product inventories across organizations or tools.

VEX vs. VDR: A vulnerability exploitability exchange (VEX) document describes all assets affected by a single vulnerability along with their respective VEX statuses from CISA's minimum guidance, in either CSAF or OpenVEX format. A VDR describes all vulnerabilities and their triage statuses impacting a single asset. Both document types accompany an SBOM to give recipients accurate, actionable risk context.

Prerequisites

You must have a product configured in the platform with at least one associated asset or sub-product.
To import, you must have the appropriate role-based access control (RBAC) permissions for import actions.
Import SBOM formats: CycloneDX. Note: Product imports require Manifest-generated product files, identifiable by the .mfst.cdx.json file name extension.
Export SBOM formats: CycloneDX (Version 1.6) and SPDX (Version 2.3)
VDR documents must use Manifest's .mfst.vdr.json format. VDR import is only supported for files exported from Manifest. Generic .json files and older Manifest-generated exports are not compatible

Download a product SBOM

Export a single SBOM that covers your entire product, including all sub-products and assets, with hierarchy preserved.

Step-by-step

Navigate to the product you want to export.
In the Download menu on the product page, select the SBOM tile.
Choose your preferred format: CycloneDX or SPDX. 4.. The file downloads to your machine.

What to expect

The exported SBOM includes a root Product node that references all child sub-products and assets. Each node carries a stable identifier so the file can be re-imported without ambiguity. Software components and packages are included for each asset.

If a product has no inventory (no SBOM data or structure), the export will fail with a clear error message and next steps. Make sure your product has at least one asset with an associated SBOM before exporting.

Note: For this release, exports include original SBOMs, not enriched data. Product labels are not included in the export.

Download a vulnerability report (VDR)

Export a point-in-time vulnerability report for your product. The report aggregates all known vulnerabilities across the product, its sub-products, and assets, and includes current triage status, severity, and relevant context.

Step-by-step

Navigate to the product you want to export.
In the Download area on the product page, select the VDR tile.
The file downloads as a Manifest-formatted JSON document (File will include .mfst.vdr.json).

What to expect

The exported VDR reflects the full product hierarchy (Product → Sub-products → Assets), with stable IDs and parent/child references. Each vulnerability entry references at least one component or asset ID present in the export.

If vulnerabilities exist but cannot be mapped to a node in the hierarchy, the export includes an unmappedFindings section so nothing is silently dropped.

The export includes provenance metadata such as generatedAt and source organization.

Import a product SBOM

Upload an SBOM to create a new product or overwrite an existing one. The platform parses the file, validates its structure, and builds a multi-level product hierarchy from the imported data.

Step-by-step

Go to the Uploads page.
Select the Products tab. (Tabs available: Products, SBOMs, Binary, VEX, VDR.)
Click Upload and select your SBOM file. The file should be the Manifest-generated .mfst.cdx.json file (CycloneDX). Note - the .mfst.cdx.json file is generated when you export a product SBOM from Manifest.
A heads-up that an existing product may be overwritten will appear during upload, even if no conflicts exist.
Review any validation errors returned. Fix schema or field-level issues and re-upload if needed.
Confirm and submit to begin ingestion.

What to expect

You will receive a toast notification confirming that the import has started and that a completion email will be sent when processing finishes.
On completion, you receive an email notification with the outcome.
If the import fails, you will receive an email notification with details.
The Products tab in your uploads history shows the import record, including Name, Version, Format, Uploaded By, Upload Date. Individual assets uploaded as part of the product import are not shown as separate rows.
The platform creates a multi-level structure: Product → sub-products → components/assets, preserving identifiers and dependency relationships.
Re-importing is handled consistently: the platform manages duplication based on stable node IDs.
All import actions are logged with user, timestamp, product, and outcome for audit purposes.

Size limits apply. To maintain platform performance, limits are placed on the number of assets per product and total file size. If your product exceeds these limits, the import will return an error. Contact your account team if you need guidance on large imports.

Import a VDR document

Upload a VDR document to update vulnerability triage dispositions for an existing product and its assets. The platform matches VDR entries to known components and vulnerabilities using stable identifiers.

Step-by-step

Go to the Uploads page.
Select the VDR tab.
Click Upload and select your VDR JSON file. The Associated VDR will be linked with an existing product.
Confirm and submit.

What to expect

The platform matches VDR entries to existing components and vulnerabilities using identifiers such as component IDs, CPEs, PURLs, and CVEs.
Matched vulnerabilities are updated with triage disposition (affected, not affected, fixed), justification, and timestamps where provided.
When a vulnerability disposition is updated through the import, it is marked as triaged in the CVE Triage side panel on the asset view. The link to the Vulnerability Report is found on the asset’s Vulnerability Report Tab
Unmatched entries (components or vulnerabilities not found in the system) are flagged in the import results.
The import will only fail if assets themselves do not match. If no matching product is found in metadata, the platform will triage any relevant triage statuses on matching asset vulnerabilities.

VDR priority and precedence

The platform uses a precedence model to protect existing analyst work:

If the VDR contains a meaningful status (Affected, Not Affected, Fixed) for a vulnerability, it overwrites the existing status.
If the VDR lists a vulnerability as Not Triaged, the import treats this as a no-op and preserves any existing meaningful status. This means a vendor VDR cannot accidentally erase triage decisions your team has already made.

View uploaded vulnerability reports

All imported VDR files for a product are accessible from the product page.

Navigate to the product.
Select the Vulnerability Reports tab.
From this view, you can see all previously imported files and download any of them.

Troubleshooting

Export fails with an inventory error. The product has no associated assets or SBOM data. Add at least one asset with an SBOM before attempting to export.
Import returns validation errors. The uploaded file has schema or field-level issues. Review the errors returned by the platform, correct the file, and re-upload.
VDR import shows unmatched entries. One or more components or vulnerabilities in the VDR file do not match records in the platform. Check that the SBOM was imported first and that component identifiers (CPEs, PURLs, CVEs) align between the SBOM and VDR.
Import fails with a size limit error. The product inventory exceeds the platform's current asset or file size limits. Contact your account team for guidance.

Related docs

Welcome to Manifest