Appendix A: Glossary

  • Chain of custody - Auditable documentation of point of origin as well as the method of transfer from point of origin to point of destination and the identity of the transfer agent.
  • Component function - The purpose for which a software component exists. Examples of component functions include parsers, database persistence, and authentication providers.
  • Component type - The general classification of a software components architecture. Examples of component types include libraries, frameworks, applications, containers, and operating systems.
  • CycloneDX - A software bill of materials specification designed to be lightweight and security-focused.
  • Direct dependency - A software component that is referenced by a program itself.
  • Package manager - A distribution mechanism that makes software artifacts discoverable by requesters.
  • Package URL (PURL) - An ecosystem-agnostic specification which standardizes the syntax and location information of software components.
  • Pedigree - Data which describes the lineage and/or process for which software has been created or altered.
  • Point of origin - The supplier and associated metadata from which a software component has been procured, transmitted, or received. Package repositories, release distribution platforms, and version control history are examples of various points of origin.
  • Procurement – The process of agreeing to terms and acquiring software or services for later use.
  • Provenance - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified.
  • Software bill of materials (SBOM) – A complete, formally structured, and machine-readable inventory of all software components and associated metadata, used by or delivered with a given piece of software.
  • Software Identification (SWID) - An ISO standard that formalizes how software is tagged.
  • Software Package Data Exchange (SPDX) - A Linux Foundation project which produces a software bill of materials specification and a standardized list of open source licenses.
  • Third-party component – Any software component not directly created including open source, "source available", and commercial or proprietary software.
  • Transitive dependency - A software component that is indirectly used by a program by means of being a dependency of a dependency.