# Appendix A: Glossary * **Chain of custody** - Auditable documentation of point of origin as well as the method of transfer from point of origin to point of destination and the identity of the transfer agent. * **Component function** - The purpose for which a software component exists. Examples of component functions include parsers, database persistence, and authentication providers. * **Component type** - The general classification of a software components architecture. Examples of component types include libraries, frameworks, applications, containers, and operating systems. * **CycloneDX** - A software bill of materials specification designed to be lightweight and security-focused. * **Direct dependency** - A software component that is referenced by a program itself. * **Package manager** - A distribution mechanism that makes software artifacts discoverable by requesters. * **Package URL (PURL)** - An ecosystem-agnostic specification which standardizes the syntax and location information of software components. * **Pedigree** - Data which describes the lineage and/or process for which software has been created or altered. * **Point of origin** - The supplier and associated metadata from which a software component has been procured, transmitted, or received. Package repositories, release distribution platforms, and version control history are examples of various points of origin. * **Procurement** – The process of agreeing to terms and acquiring software or services for later use. * **Provenance** - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified. * **Software bill of materials (SBOM)** – A complete, formally structured, and machine-readable inventory of all software components and associated metadata, used by or delivered with a given piece of software. * **Software Identification (SWID)** - An ISO standard that formalizes how software is tagged. * **Software Package Data Exchange (SPDX)** - A Linux Foundation project which produces a software bill of materials specification and a standardized list of open source licenses. * **Third-party component** – Any software component not directly created including open source, "source available", and commercial or proprietary software. * **Transitive dependency** - A software component that is indirectly used by a program by means of being a dependency of a dependency. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp-scvs.gitbook.io/scvs/appendix-a-glossary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.