Guides

Vulnerabilities Overview

Suggest Edits

Overview

One of the foundational analyses that Manifest performs on SBOMs is a robust and curated vulnerability scan. Identifying in vulnerabilities can help your team make internal products more secure (for first-party code), or help your third-party risk management (TPRM) teams identify weaknesses in vendor products.


Vulnerability Matching

At a high level, Manifest extracts, cleans, and heals Common Product Enumeration (CPEs) and Package URLs (Purls) from SBOMs, and cross-references those identifiers in NIST's National Vulnerability Database (NVD) as well as Google's Open Source Vulnerability database (OSV), which itself is an aggregation of over a dozen different vulnerability sources.

Manifest also deduplicates vulnerabilities, hides vulnerabilities marked as deprecated or rejected, and performs other cleanup and checks to help reduce noise for end users.

Feel free to reach out to Manifest support for more information about how we do vulnerability matching.


Vulnerability Enrichment

When dealing with security vulnerabilities, it’s crucial to focus on the ones that pose the greatest risk while not wasting time on those unlikely to be exploited. Manifest enriches vulnerabilities with several best-in-breed sources of data:

CISA's Known Exploited Vulnerabilities (KEV) Catalog

Maintained by the Cybersecurity & Infrastructure Security Agency (CISA), the KEV catalog lists vulnerabilities that have been actively exploited in the wild, as confirmed by the US Government. Since these vulnerabilities are already being used in attacks, they should be treated as high-priority for remediation.


FIRST's Exploit Prediction Scoring System (EPSS)

Developed by the Forum of Incident Response and Security Teams (FIRST), the EPSS assigns a probability score to vulnerabilities based on whether they are likely to be exploited within the next 30 days, given various factors such as the vendor who made the software, the level of access required to exploit the vulnerability, whether an exploit exists in the wild, etc. This predictive model helps organizations prioritize vulnerabilities that are most likely to be exploited, reducing unnecessary patching efforts on low-risk issues.


Why These Matter

By leveraging both KEV and EPSS, security teams can focus on what matters most:

  • KEV ensures that already exploited vulnerabilities are patched immediately.
  • EPSS helps predict which unexploited vulnerabilities are most likely to become threats.

This approach allows security teams to remediate high-risk vulnerabilities efficiently while avoiding wasted effort on less critical issues.

Updated 4 months ago