- artifact (concept)
- synonym ofassetcomponentcan be used interchangeably withbuild resultpackagebinarycontainer imagemetadata file
Any uniquely identifiable piece of a software project, such as a source code file, git repository, binary executable, container image, package, library, dependency, application, build log, metadata file, test result, or other data.
If it can be uniquely identified by a cryptographic hash, it is an artifact.
- authentication (concept)
- synonym ofverification
The process of comparing a software asset to a trusted, verifiable record of that asset and its composition to ensure that the asset hasn’t been modified or tampered with since creation.
In the context of SBOMs, this means checking a software asset against an immutable, cryptographically-verifiable record of that asset and its components—by comparing each component with its recorded hash, ensuring that none of the components comprising the asset are considered untrusted, and checking the validity of the cryptographic signature on the SBOM.
- The command-line interface for interacting with the Community Attestation Service. It can be used to notarize and authenticate artifacts from any point in the software development lifecycle.
- Codenotary (organization)
- The company behind Trustcenter and the Community Attestation Service, as well as the publisher of this guide.
- Community Attestation Service — CAS(service)
- An open-source, community-driven service that provides immutable, cryptographically-verifiable attestation for software artifacts at any stage in the development lifecycle.
- CycloneDX (specification)
- An open standard for communicating software bill of materials (SBOM) information. Created for use in software supply chain security contexts, it includes specifications for defining the relationships between software components and for identifying known vulnerabilities in those components.
- manifest (concept)
A list of files, dependencies, and other information about a software project. Examples include:
package.jsonin Node projects and
pyproject.tomlin Python projects are examples of package manifests, which define a project’s dependencies and other metadata.
- Docker’s Image Manifests reference image layers for multiple variants of a container image, allowing for a single image to be used for multiple architectures and operating systems.
- SPDX and CycloneDX are standards for sharing the metadata of software artifacts between different projects, allowing developers to track the licensing and provenance of their dependencies.
- notarization (concept)
- synonym ofsigning
The process of creating a trusted, verifiable record of a software asset and its composition.
In the context of SBOMs, this means creating an immutable, cryptographically-verifiable record of a software asset, the components comprising the asset, the level of trust for each, and the hashes that uniquely identify those components.
- software bill of materials — SBOM(concept)
- A manifest which uniquely identifies and enumerates the software dependencies contained within a codebase, software artifact, or runtime container. In a security context, it is used to track the chain of custody of software components and to ensure that the components are free of known vulnerabilities.
- Software Package Data Exchange — SPDX(specification)
- An open standard for communicating software bill of materials (SBOM) information. It is maintained as an initiative of the Linux Foundation and was created to develop tools and formats for communicating the licensing information of software packages.
- Syft (tool)
- A CLI tool for scanning a filesystem or container image and using the result to assemble a software bill of materials (SBOM) in various formats.
- Trustcenter (service)
- A service that provides immutable, cryptographically-verifiable attestation of software artifacts at every stage of the development lifecycle.
- The command-line interface (CLI) for interacting with Codenotary’s Trustcenter service. It can be used to notarize and authenticate artifacts from any point in the software development lifecycle.