Appendix A: Glossary

  • Chain of custody - Auditable documentation of point of origin as well as the method of transfer from point of origin to point of destination and the identity of the transfer agent.

  • Component function - The purpose for which a software component exists. Examples of component functions include parsers, database persistence, and authentication providers.

  • Component type - The general classification of a software components architecture. Examples of component types include libraries, frameworks, applications, containers, and operating systems.

  • CycloneDX - A software bill of materials specification designed to be lightweight and security-focused.

  • Direct dependency - A software component that is referenced by a program itself.

  • Package manager - A distribution mechanism that makes software artifacts discoverable by requesters.

  • Package URL (PURL) - An ecosystem-agnostic specification which standardizes the syntax and location information of software components.

  • Pedigree - Data which describes the lineage and/or process for which software has been created or altered.

  • Point of origin - The supplier and associated metadata from which a software component has been procured, transmitted, or received. Package repositories, release distribution platforms, and version control history are examples of various points of origin.

  • Procurement – The process of agreeing to terms and acquiring software or services for later use.

  • Provenance - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified.

  • Software bill of materials (SBOM) – A complete, formally structured, and machine-readable inventory of all software components and associated metadata, used by or delivered with a given piece of software.

  • Software Identification (SWID) - An ISO standard that formalizes how software is tagged.

  • Software Package Data Exchange (SPDX) - A Linux Foundation project which produces a software bill of materials specification and a standardized list of open source licenses.

  • Third-party component – Any software component not directly created including open source, "source available", and commercial or proprietary software.

  • Transitive dependency - A software component that is indirectly used by a program by means of being a dependency of a dependency.