# Appendix A: Glossary

* **Chain of custody** - Auditable documentation of point of origin as well as the method of transfer from point of origin to point of destination and the identity of the transfer agent.
* **Component function** - The purpose for which a software component exists. Examples of component functions include parsers, database persistence, and authentication providers.
* **Component type** - The general classification of a software components architecture. Examples of component types include libraries, frameworks, applications, containers, and operating systems.
* **CycloneDX** - A software bill of materials specification designed to be lightweight and security-focused.
* **Direct dependency** - A software component that is referenced by a program itself.
* **Package manager** - A distribution mechanism that makes software artifacts discoverable by requesters.
* **Package URL (PURL)** - An ecosystem-agnostic specification which standardizes the syntax and location information of software components.
* **Pedigree** - Data which describes the lineage and/or process for which software has been created or altered.
* **Point of origin** - The supplier and associated metadata from which a software component has been procured, transmitted, or received. Package repositories, release distribution platforms, and version control history are examples of various points of origin.
* **Procurement** – The process of agreeing to terms and acquiring software or services for later use.
* **Provenance** - The chain of custody and origin of a software component. Provenance incorporates the point of origin through distribution as well as derivatives in the case of software that has been modified.
* **Software bill of materials (SBOM)** – A complete, formally structured, and machine-readable inventory of all software components and associated metadata, used by or delivered with a given piece of software.
* **Software Identification (SWID)** - An ISO standard that formalizes how software is tagged.
* **Software Package Data Exchange (SPDX)** - A Linux Foundation project which produces a software bill of materials specification and a standardized list of open source licenses.
* **Third-party component** – Any software component not directly created including open source, "source available", and commercial or proprietary software.
* **Transitive dependency** - A software component that is indirectly used by a program by means of being a dependency of a dependency.