Uploading SBOMs and VEX Documents
This ability is limited to team members with Admin and/or Member roles.
Manifest offers multiple ways to upload existing SBOMs or VEX documents in the app.
Upload Requirements
Users can upload files in two formats:
| File | Format | File Types |
|---|---|---|
| SBOM | CycloneDX (Versions 1.x or later) | .json, .xml, |
| SBOM | SPDX (Versions 2.x or later) | .json, .xml, .spdx, .spdxtv, .tv |
| VEX Document | CSAF or OpenVEX | .json |
Manually Uploading an SBOM or VEX Document
- In the left navigation bar, go to Uploads.
- Drag an SBOM or VEX document into the “drop zone” at the top of the screen, or click Click to Upload.
- A panel will open with additional upload options. Here you can specify whether the SBOM should be Active/Inactive , 1st/3rd Party, and whether you want to Enrich the SBOM with more metadata.
- Click Upload to start uploading the SBOM.
Depending on the size of the SBOM, it may take a minute or two for the upload and scanning to complete.
While SBOMs are being processed, they appear in the Pending Uploads tab. Once an SBOM has successfully completed processing, it will appear in the Successful tab.
SBOMs that fail to be processed or are in the wrong format can be found in the Failed tab. If uploading an SBOM repeatedly fails, please contact Manifest for additional support.
Uploading an SBOM with the API
For more information on how to upload SBOMs or VEX documents with our API, check out our official API Documentation
Uploading SBOMs with the Manifest CLI
Use the publish command from the Manifest cli to publish SBOMs to the Manifest platform. Read more about the cli here: Using the CLI.
Updated about 2 months ago