Manifest tool boosts SBOMs for critical C & C++ code

Manifest has launched a software bill of materials (SBOM) generator for unmanaged C and C++ code, giving organisations a new way to create and enrich SBOMs for software used in embedded and other low-level environments.

The release targets a persistent supply chain security challenge in products built with C and C++. These languages underpin a wide range of operational technology and safety-critical systems, including vehicles, medical devices, defence systems and industrial equipment. Many of these environments rely on long-running toolchains and bespoke build processes, making consistent component inventories and SBOM production difficult.

An SBOM is a structured list of the software components that make up an application or device. Governments and regulators have increased their focus on SBOMs as a mechanism for software transparency, vulnerability management and supplier accountability. In practice, SBOM adoption has been stronger in ecosystems with modern package managers and standardised build metadata. C and C++ projects often require more manual effort and provide fewer consistent signals about compiled dependencies.

Manifest's generator targets unmanaged C and C++ projects that sit close to operating systems, firmware, device drivers and other low-level code. It generates SBOMs and enriches them with additional detail for inventory and scanning workflows.

Binary coverage

A core part of the update is binary analysis for cases where a software supplier does not provide an SBOM. The analysis inspects compiled artefacts to identify libraries and other components that may be present. The approach has become more relevant as large manufacturers and regulated sectors push for supplier transparency and faster responses to vulnerability disclosures.

In regulated industries, SBOMs can be part of procurement requirements and product documentation. Medical device makers, for example, face demands for detailed information about software components. Many organisations also use SBOMs for internal governance, including risk review, patching priorities and incident response.

Manifest described C and C++ as a "blind spot" where organisations often lack dependable visibility into what they ship. That gap can become more acute when vulnerabilities emerge in foundational libraries used across many products, or when suppliers provide limited information about their dependencies.

Additional features

Manifest also released several adjacent features alongside the C and C++ generator. These include end-of-life and end-of-support coverage for devices, which tracks when components or platforms stop receiving updates or vendor support. The update also adds vulnerability reachability analysis, aimed at confirming whether a vulnerable component is actually accessible within an application's execution paths-information that can affect remediation urgency.

The company added automated vulnerability mapping for Nix packages. Nix is a package manager and build system used by some developer and infrastructure teams, particularly where reproducible builds are a priority.

The broader update introduces supplier risk analysis that ranks vendors based on assessed risk. In supply chain programmes, organisations often struggle to prioritise remediation work across hundreds or thousands of third-party software relationships. Risk ranking is intended to help focus attention on the suppliers and components most likely to create operational exposure.

AI supply chain

Manifest also reiterated its focus on AI supply chain transparency, citing continuous AI model scanning with daily assessments of open-weight models from Hugging Face and scans of custom models. The aim is an up-to-date view of model risk across an organisation's deployments.

AI governance has become a parallel concern to software dependency management as enterprises adopt third-party models and integrate them into products and operations. Risk management can include provenance, known vulnerabilities, associated software dependencies and legal exposure-especially where model weights and training sources affect usage rights and compliance.

Manifest markets its platform across product security, AI risk and supplier risk, targeting regulated sectors such as defence, healthcare and automotive.

CEO Daniel Bardenstein described the release as a response to the persistence of C and C++ in critical infrastructure environments.

"Despite the push to use memory-safe languages, C/C++ still underpin critical infrastructure across our society. While organizations have been able to generate and consume SBOMs for other more modern languages, the gap for those developing in C/C++ has remained a critical blind spot for many critical software suppliers, particularly when facing compliance and regulation. Manifest can now safely and reliably close that gap, with the combination of our new C/C++ SBOM generator and binary analysis capabilities, and enhance security posture with our EOL/EOS enrichment for those projects," said Daniel Bardenstein, CEO, Manifest.

The C and C++ SBOM generator is part of a wider set of improvements aimed at deeper component visibility, stronger vulnerability prioritisation and clearer supplier-level risk signals across software and AI supply chains.