SBOM and supply chain terms
Glossary, in plain English
The acronyms and standards behind every SBOM scan, defined clearly and concisely. No jargon, no overclaiming.
- SBOM
- A Software Bill of Materials: a formal, machine-readable inventory of the components and dependencies that make up a piece of software, along with their versions and identifiers.
- CISA KEV
- The Known Exploited Vulnerabilities catalog published by the US Cybersecurity and Infrastructure Security Agency. It lists CVEs that are confirmed to be exploited in the wild, so they should be remediated first.
- CPE
- Common Platform Enumeration: a structured naming scheme for hardware, operating systems and applications. CPE strings are widely used to match products against vulnerability records such as those in the NVD.
- CRA (Cyber Resilience Act)
- An EU regulation that sets cybersecurity requirements for products with digital elements sold in the EU. It references the SBOM and introduces obligations including vulnerability handling and reporting.
- CVE
- Common Vulnerabilities and Exposures: a public catalog that assigns a unique identifier (for example CVE-2021-44228) to each known security vulnerability, so different tools can refer to the same issue.
- CVSS
- The Common Vulnerability Scoring System: a method maintained by FIRST for rating the severity of a vulnerability on a 0 to 10 scale based on its technical characteristics.
- CycloneDX
- An SBOM standard, governed by OWASP, designed for application security and supply chain use cases. It supports components, dependencies, vulnerabilities and more, in JSON or XML.
- Dependency
- A software component that another component relies on to build or run. A direct dependency is one your project declares itself.
- EPSS
- The Exploit Prediction Scoring System, maintained by FIRST: a probability score estimating how likely a vulnerability is to be exploited in the wild over the next 30 days. It complements severity-based scores such as CVSS.
- License identifier (SPDX license)
- A short, standardized string from the SPDX License List (for example MIT or Apache-2.0) that unambiguously names a software license, making license information consistent across tools.
- NTIA minimum elements
- A baseline set of SBOM data fields described by the US National Telecommunications and Information Administration, covering supplier, component name, version, unique identifiers, dependency relationships, author and timestamp.
- PURL (package URL)
- A package URL: a compact, standardized way to identify a software package across ecosystems, for example pkg:npm/lodash@4.17.21. PURLs make components easier to match against advisory databases.
- SPDX
- The Software Package Data Exchange: an SBOM and license-metadata standard hosted by the Linux Foundation and published as ISO/IEC 5962. It is widely used for licensing and compliance information.
- Syft
- An open-source tool from Anchore that generates an SBOM by scanning container images, filesystems and archives. It can output CycloneDX, SPDX and its own native format.
- Transitive dependency
- A dependency pulled in indirectly through another dependency rather than declared by your project. Transitive dependencies often outnumber direct ones and are a common source of hidden risk.
- VEX
- Vulnerability Exploitability eXchange: a companion document to an SBOM that states whether a product is actually affected by a given vulnerability, helping teams suppress findings that do not apply.
See these terms in action
Upload an SBOM to run quality, conformance and multi-engine vulnerability checks, or read what each of the twelve analyses does.