Chain of custody - Auditable documentation of point of origin as well as the method of transfer from point of origin to point of destination and the identity of the transfer agent.
Component function - The purpose for which a software component exists. Examples of component functions include parsers, database persistence, and authentication providers.
Component type - The general classification of a software components architecture. Examples of component types include libraries, frameworks, applications, containers, and operating systems.
CycloneDX - A software bill of materials specification designed to be lightweight and security-focused.
Direct dependency - A software component that is referenced by a program itself.
Package manager - A distribution mechanism that makes software artifacts discoverable by requesters.
Package URL (PURL) - An ecosystem-agnostic specification which standardizes the syntax and location information of software components.
Pedigree - Data which describes the lineage and/or process for which software has been created or altered.
Point of origin - The supplier and associated metadata from which a software component has been procured, transmitted, or received. Package repositories, release distribution platforms, and version control history are examples of various points of origin.
Procurement – The process of agreeing to terms and acquiring software or services for later use.
Provenance - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified.
Software bill of materials (SBOM) – A complete, formally structured, and machine-readable inventory of all software components and associated metadata, used by or delivered with a given piece of software.
Software Identification (SWID) - An ISO standard that formalizes how software is tagged.
Software Package Data Exchange (SPDX) - A Linux Foundation project which produces a software bill of materials specification and a standardized list of open source licenses.
Third-party component – Any software component not directly created including open source, "source available", and commercial or proprietary software.
Transitive dependency - A software component that is indirectly used by a program by means of being a dependency of a dependency.