Guides

The Manifest Object Model

Suggest Edits

At Manifest, we model software using a three-tier object structure that reflects how software is built, packaged, and deployed. Our model consists of Products, Assets, and Components, each representing a different layer of the software supply chain.

Object Hierarchy

📦 Products → 📁 Assets → 🔗 Components


Products

A Product represents a fully deployed software package—what an organization ships to customers or runs internally. Each Product is made up of multiple Assets that contribute to its functionality. Products can be:

  • A web application
  • A mobile app
  • A physical device (e.g., a car, a point-of-sale system)
  • An enterprise software suite

Assets

An Asset represents an intermediary collection of software—the building blocks that organizations maintain and deploy. These can include:

  • Source code repositories
  • Container images
  • Packaged distributions (e.g., Debian packages, RPMs)
  • Assets are built from multiple Components, which contain the underlying dependencies.

Components

A Component is a specific software dependency within an asset. These include:

  • Open-source libraries (e.g., a JavaScript package, a Python library)
  • Proprietary libraries (internally developed dependencies)
  • A single Component can exist in multiple Assets and, by extension, in multiple Products.

Why This Model?

This hierarchy allows Manifest to track vulnerabilities at every level, ensuring that risks are identified:

  • At the component level, where vulnerabilities originate
  • At the asset level, where development teams package software
  • At the product level, where vulnerabilities can have real-world impact on customers

By structuring data this way, Manifest enables organizations to assess risk holistically—prioritizing fixes where they matter most.

Updated 4 months ago