Skip to main content

Reference: Glossary

Term

Definition

ABF

Advanced Binary Fingerprinting. With ABF scanning, we examine binary fingerprints (similar to a truncated sha1 hash) of all the files and not just the file names and manifests. ABF is highly accurate because it examines everything included in the application after the build, including any embedded dependencies. This means that an ABF scan will never return false positives in its report. Sonatype data is tied to the component fingerprints of any files where the vulnerability is discovered. When a vulnerability is reported it is because the component fingerprint is in your application.

ALP

The Advanced Legal Pack (ALP) is an add-on to Sonatype Lifecycle that helps legal teams streamline open-source software (OSS) license compliance, mitigate license risk, and expedite feedback with development teams.

A-name

Authoritative Name matching. A-name only scans files included in the application. As a result, dependency files not in the final application are omitted from the scan. By identifying the exact files in an application the scan reduces the number of false-positive results.

Archive File

From Wikipedia: An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption.

Archive Format

From Wikipedia: An archive format is the file format of an archive file. Some formats are well-defined by their authors and have become conventions supported by multiple vendors and communities.

Artifact

From Maven: An artifact is something that is either produced or used by a project. Examples of artifacts produced by Maven for a project include JARs, source and binary distributions, WARs. Each artifact is uniquely identified by a group id and an artifact ID which is unique within a group.

Application Composition Report

(Also commonly referred to as "scan report" and "build report.") A point-in-time report representing risk associated with component usage for a specific application. The report includes information on how the application complies with the policies your team, or business, has established.

Asset

Assets are the material addition to component metadata. These files provide basic information about components.

Binary

From TechTarget: A binary file is a file whose content must be interpreted by a program or a hardware processor that understands in advance exactly how it is formatted. That is, the file is not in any externally identifiable format so that any program that wanted to could look for certain data at a certain place within the file. A program (or hardware processor) has to know exactly how the data inside the file is laid out to make use of the file.

Central Repository

From central.sonatype.org: The Central Repository is the default repository for Apache Maven, SBT, and other build systems and can be easily used from Apache Ant/Ivy, Gradle, and many other tools.

Component Details Page

The Component Details Page is where you can drill down on individual components that appear in your scanned applications, along with the policy violations associated with them.

Component

On the Sonatype Platform, the term component describes items like a package, library, binary, container, or any other resource used as part of your software application. In different tool-chains, components are called artifact, package, bundle, archive, and so on.

Continuous Delivery (CD)

Continuous delivery is an extension of continuous integration. It focuses on automating the software delivery process so that teams can easily and confidently deploy their code to production at any time. For more information, please see An Introduction to Continuous Integration, Delivery, and Deployment from DigitalOcean.

Continuous Integration (CI)

Continuous integration is a practice that encourages developers to integrate their code into the main branch of a shared repository early and often. For more information, please see An Introduction to Continuous Integration, Delivery, and Deployment from DigitalOcean.

DevOps

The basis of DevOps is to unify software development (Dev) and software operation (Ops). The main characteristic of the DevOps movement is to strongly advocate automation and monitoring at all steps of software development, from integration, testing, and releasing to deployment and infrastructure management. For more information, please see What is DevOps from AWS.

Direct Dependency

Is functionality exported by a library or any software component that is referenced directly by the application itself.

File Format

From Wikipedia: A file format is a standard way that information is encoded for storage in a computer file. It specifies how bits are used to encode information in a digital storage medium. File formats may be either proprietary or free and may be either unpublished or open.

Firewall

The Repository Firewall is a tool that prevents bad components from entering your software supply chain through a Repository Manager. The term firewall usually refers to a network firewall that inspects and blocks network traffic based on a set of rules. The Repository Firewall applies this concept to repository management.

Group Repository

A repository that allows you to combine multiple repositories and other repository groups in a single repository. This in turn means that your users can rely on a single URL for their configuration needs, while the administrators can add more repositories and therefore components to the repository group.

Hosted Repository

A repository that stores components in the repository manager as the authoritative location for these components.

IaC

Infrastructure as Code. Infrastructure as Code is a means of expressing cloud infrastructure using code, which can be run against cloud provider APIs to create, configure, and modify cloud infrastructure. IaC is used in place of the cloud provider console.

Innersource

Innersource, a term discovered and coined in 2000, defines the use of open source development best practices and the establishment of an open source-like culture within organizations. Many organizations still develop proprietary code while adopting the Innersource methodology of using open source components in development.

InnerSource Component

An InnerSource component is an internally built and shared component within an organization that includes both proprietary and open-source code. These ‘InnerSource components’ are the result of companies using open source software and adopting best practices of Innersource.

Manifest

Manifest scans use the project’s build file to identify dependencies and policy violations. They rely on coordinate-based matching to determine which components the project uses. Since manifest scans don’t need the actual files to scan an application, this is an effective way to scan applications when dependency files are unavailable.

Maven

From Apache Maven: A software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting, and documentation from a central piece of information.

MTTR

Mean Time to Resolution. The average time it takes to fully resolve a failure.

npm

From npmjs.com: npm is the package manager for JavaScript. npm makes it easy for JavaScript developers to reuse code other developers have shared.

NuGet

From Microsoft Docs: For .NET, the mechanism for sharing code is NuGet, which defines how packages for .NET are created, hosted, and consumed, and provides the tools for each of those roles.

Open Source

The term "open source" refers to something people can modify and share because its design is publicly accessible. Open-source software is software with source code that anyone can inspect, modify, and enhance. See opensource.com for more information.

Package Format

A type of archive file that consists of programs and accompanying metadata needed by package managers like npm and YUM, or build tools like Maven, to consume that content.

Package Manager

From Wikipedia: A package manager or package management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer's operating system in a consistent manner.

pom file

From Apache: named pom.xml. When in the presence of Maven folks, speaking of a project is speaking in the philosophical sense, beyond a mere collection of files containing code. A project contains configuration files, as well as the developers involved and the roles they play, the defect tracking system, the organization and licenses, the URL of where the project lives, the project's dependencies, and all of the other little pieces that come into play to give code life. It is a one-stop-shop for all things concerning the project. In fact, in the Maven world, a project does not need to contain any code at all, merely a pom.xml.

Proxy Repository

A repository that is linked to a remote repository. Any request for a component is verified against the local content of the proxy repository. If no local component is found, the request is forwarded to the remote repository. The component is then retrieved and stored locally in the repository manager, which acts as a cache. Subsequent requests for the same component are then fulfilled from the local storage, therefore eliminating the network bandwidth and time overhead of retrieving the component from the remote repository again.

Repository

From Wikipedia, a storage location where components such as packages, libraries, binaries, or containers are retrieved and installed.

Repository Manager

A dedicated server application that is used to manage all the repositories your development teams utilize throughout the course of development.

Root Organization

In IQ Server, the Root Organization is at the top of the system hierarchy that allows you to set policy globally across all organizations and applications.

Provisioning Tool

From Quora: Provisioning tools are used to install and manage large quantities of computers. When clustering computers, it is generally desirable to keep the hardware and software as homogenous as possible. This helps to ensure that performance is consistent and that the individual nodes will play nicely with each other. Provisioning tools make managing the software side of clusters easier.

SBOM

Software Bill of Materials. Produced from the Application Composition Report, this is an inventory of all of the open-source components in your application.

Software Development Life Cycle (SDLC)

The SDLC is composed of a number of defined and distinct work phases used by systems engineers and developers to plan, design, build, test, and deliver software. For more information, please see SDLC - Overview from Tutorials Point.

Sonatype

Sonatype takes its name from the Hindi word “sona,” which means gold, and the Latin word “type,” which means model or standard. We are the 'gold standard' for software supply chain management.

Source Control

A version control system designed to track changes in source code and other text files during the development of a piece of software. For more information, please see Git's About Version Control.

Threat Level

A subjective value of a policy violation's overall risk to your organization. For example, a policy violation with a Threat Level of 2 suggests a minor risk, whereas a policy violation with a Threat Level of 10 suggest a major risk. The Reference Policy Set set that comes with each new installation of Lifecycle/Firewall has default Threat Level values, but these values may not match your organization's unique needs or risk posture and can be adjusted. For more information, see Understanding the Parts of a Policy

Transitive Dependency

Is any dependency that is automatically included and relied upon by the direct dependencies that the application references.

An important thing to understand is that to change a transitive dependency one must change the “parent” direct dependency