Guides

Getting Started: TPRM & C-SCRM

Uploading your first SBOM

Welcome to Manifest! As you might have guessed, the first step towards using Manifest is uploading an SBOM.

Manifest makes uploading SBOMs easy, through a variety of approaches. The fastest way to get started to manually upload (or drag-and-drop) an SBOM on Manifest's Uploads page.

If you don't already have an SBOM, you can Download a Sample SBOM

To import this SBOM into Manifest:

  1. Go to the Uploads page at the bottom of the left-hand navigation menu.
  2. Drag and drop your CycloneDX or SPDX SBOM in JSON format into the dropzone at the top of the screen.
  3. Once the SBOM has finished processing, it will appear in the table. Click on the name of your uploaded SBOM in the Uploaded table below the drop zone.
☝️

Depending on the size of the SBOM, it may take a minute or two for the upload and scanning to complete.


Viewing an Asset

Now that you've uploaded your first SBOM, it's time to start learning what is in it. After clicking on the SBOM's name in the Uploaded table described in the previous step.

The Asset details gives you an overview of the content of your SBOM. There are six tabs at the top of the Asset Details page: Risk Overview, Vulnerabilities, Components, Versions, and About. You can also view any tickets created related to the asset and can download the asset's raw or modified SBOM and a variety of reports related to the asset.

Risk Overview

The Risk Overview tab gives you the information you'd expect. It shows the overall risk score, determined by the number and type of vulnerabilities as well as any problematic licenses associated with the components of the SBOM. Problematic licenses are defined as those with copyleft implications that pose intellectual property risks for your organization. The Risk Overview tab also shows you the top ten riskiest components present within the asset, especially those on CISA's KEV list and those we recommend be mitigated immediately.


Vulnerabilities

The Vulnerabilities tab shows you all of the vulnerabilities matched to the components of the asset. Manifest pulls this information via integrations with the National Vulnerability Database (NVD), Google's Open Source Vulnerability Database (OSV), which itself is aggregation of 15 separate datasources, CISA's Known Exploited Vulnerabilities (KEV) catalog, and exploitability context from FIRST.org's Exploit Prediction Scoring System (EPSS). In this view, you can also see whether colleagues have already triaged these vulnerabilities to reflect their current status.


Components

The components tab lists every component (i.e. dependency, open-source library, etc.) present within a given asset. You will see the key data for each component, including name, version, and the license information for each component present within the SBOM.


AI Models

The AI Models tab shows all the AI models that are shipping with or part of a given asset, such as an application. For each model, you will see the model name, version, supplier, licenses, and date created. If you have purchased the AI Risk Product from Manifest, you can click on the model and view the full risk analysis of the AI Model according to the risk policy that you have defined.


Versions

Manifest stores each new version of the asset and displays them in the Versions tab. Users can mark versions of the asset that are no longer active as inactive, which is reflected in the the version list. Clicking on the name of an asset version takes you to the asset view of that version. This view also allows you to see trends with vulnerabilities across each version of the asset.


About

The About tab displays any other information about the asset and the SBOM associated with it. In this view you can also download either the original or the modified SBOM.


Learning about Vulnerabilities

You can view more detailed information about a vulnerability by clicking its name in the Vulnerabilities tab.

Clicking the name will take you to the Vulnerabilities page entry for that vulnerability. This view shows you the extent of that vulnerability's impact across your entire organization, not only for the original asset.

In this view you can see the vulnerability's name from NVD and its aliases from other datasources. It also provides key information like the severity score, exploitability context, presence on the KEV list, dates it was published and first-seen in your organization, and a description of the nature of the vulnerability. You will also see the assets impacted by the vulnerability within your organization, products impacted, and the specific components affected by the vulnerability. Other data, like fix information, is included if it's available from the vulnerability datasource. You can also download reports summarizing the impact of the vulnerability and create or view tickets created by your organization related to the vulnerability.


Interpreting Binary Analysis Results

When a vendor cannot supply an SBOM directly, Binary Analysis generates one from a compiled executable, giving you TPRM coverage even for software delivered without source-level transparency. Once your binary has finished processing, the results appear in the same Asset view used for standard SBOM uploads.

Risk Overview

The Risk Overview tab provides a high-level summary of the asset's security posture, including an overall risk score based on vulnerability severity and license exposure, the top ten riskiest components, and any items flagged for immediate remediation. Special attention is given to components present on CISA's Known Exploited Vulnerabilities (KEV) list.

Vulnerabilities

The Vulnerabilities tab lists all vulnerabilities matched to the binary's detected components. Manifest aggregates data from NVD, OSV, CISA KEV, and EPSS to surface exploitability context alongside severity scores. When reviewing results, pay attention to:

  • Severity Score: CVSS-based score indicating potential impact
  • KEV Presence: Vulnerabilities on CISA's KEV catalog require prioritized remediation
  • EPSS Score: The probability of exploitation in the wild within the next 30 days
  • Triage Status: Reflects any actions your team has already taken, such as marking a vulnerability as accepted, resolved, or not applicable

Components

The Components tab enumerates every dependency or open-source library identified within the binary. For each component, you will see the name, version, and associated license. Review this list to identify components with copyleft licenses that may introduce intellectual property obligations.

Note: Binary Analysis results are best used as a fallback when original vendor SBOMs are unavailable. Where possible, request SBOMs directly from vendors for the most comprehensive and accurate results. For steps on importing a binary, see Importing Binaries.

Updated 7 days ago