Glossary

Glossary #

artifact (concept)
synonym ofassetcomponent
can be used interchangeably withbuild resultpackagebinarycontainer imagemetadata file

Any uniquely identifiable piece of a software project, such as a source code file, git repository, binary executable, container image, package, library, dependency, application, build log, metadata file, test result, or other data.

If it can be uniquely identified by a cryptographic hash, it is an artifact.

authentication (concept)
synonym ofverification

The process of comparing a software asset to a trusted, verifiable record of that asset and its composition to ensure that the asset hasn’t been modified or tampered with since creation.

In the context of SBOMs, this means checking a software asset against an immutable, cryptographically-verifiable record of that asset and its components—by comparing each component with its recorded hash, ensuring that none of the components comprising the asset are considered untrusted, and checking the validity of the cryptographic signature on the SBOM.

cas Command (tool)
The command-line interface for interacting with the Community Attestation Service. It can be used to notarize and authenticate artifacts from any point in the software development lifecycle.
Codenotary (organization)
The company behind Trustcenter and the Community Attestation Service, as well as the publisher of this guide.
Community Attestation Service CAS(service)
An open-source, community-driven service that provides immutable, cryptographically-verifiable attestation for software artifacts at any stage in the development lifecycle.
CycloneDX (specification)
An open standard for communicating software bill of materials (SBOM) information. Created for use in software supply chain security contexts, it includes specifications for defining the relationships between software components and for identifying known vulnerabilities in those components.
manifest (concept)

A list of files, dependencies, and other information about a software project. Examples include:

  • package.json in Node projects and pyproject.toml in Python projects are examples of package manifests, which define a project’s dependencies and other metadata.
  • Docker’s Image Manifests reference image layers for multiple variants of a container image, allowing for a single image to be used for multiple architectures and operating systems.
  • SPDX and CycloneDX are standards for sharing the metadata of software artifacts between different projects, allowing developers to track the licensing and provenance of their dependencies.
notarization (concept)
synonym ofsigning

The process of creating a trusted, verifiable record of a software asset and its composition.

In the context of SBOMs, this means creating an immutable, cryptographically-verifiable record of a software asset, the components comprising the asset, the level of trust for each, and the hashes that uniquely identify those components.

software bill of materials SBOM(concept)
A manifest which uniquely identifies and enumerates the software dependencies contained within a codebase, software artifact, or runtime container. In a security context, it is used to track the chain of custody of software components and to ensure that the components are free of known vulnerabilities.
Software Package Data Exchange SPDX(specification)
An open standard for communicating software bill of materials (SBOM) information. It is maintained as an initiative of the Linux Foundation and was created to develop tools and formats for communicating the licensing information of software packages.
Syft (tool)
A CLI tool for scanning a filesystem or container image and using the result to assemble a software bill of materials (SBOM) in various formats.
Trustcenter (service)
A service that provides immutable, cryptographically-verifiable attestation of software artifacts at every stage of the development lifecycle.
vcn Command (tool)
The command-line interface (CLI) for interacting with Codenotary’s Trustcenter service. It can be used to notarize and authenticate artifacts from any point in the software development lifecycle.