B

• Broker

A system that takes the source code and builds the deployable application (such as a Security Analyzer).

D

• Dependency

When your application uses another package, this other package becomes dependent on your software.

(1)A direct dependency is a package you include in your project.

(2)An indirect dependency (also known as a deep, chained, or transitive dependency) is a package used by one of your direct dependencies.

• Dependency tree

(Also known as Dependency path) A hierarchical graph shows the dependencies of a software application. It includes direct and indirect dependencies, and levels may be deep.

E

• Environment

It can refer to a MetaTrust Environment, a project attribute, or an interface for working with MetaTrust, such as the MetaTrust CLI, Web UI, or an IDE.

• Exploit

Demonstration of how to exploit the vulnerability. When an exploit is widely published, it is commonly referred to as an exploit in the wild.

• Exploit Maturity

A measure of the usefulness of an exploit, based on whether the exploit is in the wild, and how "helpful" the exploit is to an attacker. See Evaluating and prioritizing vulnerabilities.

F

• Fixable / Partially fixable

A measure whether a vulnerability can be fixed by MetaTrust, by applying a patch, upgrade, or pin. See Fixed in version vs. fixable attributes in vulnerabilities.

• Fix PR

A pull request with an automatic fix for vulnerabilities that MetaTrust can offer the user.

G

• Git

A distributed version-control system for tracking changes in source code during software development.

I

• IDE

Integrated Development Environment. An application gives facilities for software development, typically with a source code editor, build automation tools, and a debugger.

• Integrations

Third-party products, applications, and platforms that MetaTrust works with, for example, SCM systems such as GitHub.

• Issue

  License issues, vulnerabilities, or misconfigurations identified and listed by MetaTrust.

L

• Library

• A specific type of package.

M

• Manifest

A file that contains metadata about other files in the package.

• Monitor

A run of the MetaTrust monitor command that tests the project and uploads results to MetaTrust.

O

• Organization

• An organization in MetaTrust is a way to collect and organize your projects. Members of organizations can then access these projects.

P

• Package

A group of files and additional metadata about those files, used by package managers.

• Package manager

A set of tools that automates and manages packages of bundled files, and are usually specific to a language. For example, npm.

• Package registry

A software package hosting service that allows customers to host packages and code in one place.

• Pinnable

A fix type: define and "pin" a specific version of an indirect dependency to avoid a direct dependency pulling in a vulnerable version.

• Project

An external item that Metascan, with configuration to define how to run that scan. Projects appear on the Projects menu on the MetaTrust dashboard. See Introduction to projects.

R

• Repository

A storage area that contains all elements necessary for the distribution of an application.

• Resource

A cloud infrastructure entity such as an AWS S3 bucket, Identity & Access Management (IAM) role, or Virtual Private Cloud (VPC) flows log.

• Rule

A security policy that checks cloud infrastructure and infrastructure as code (IaC) for misconfigurations that can lead to security problems.

S

• SAST

Static Application Security Testing. A method of securing software by examining the source code of proprietary software and identifying the source of vulnerabilities. See also DAST.

• SCA

Software Composition Analysis. This technique is used to identify open-source and third-party components of an application, including their known security vulnerabilities and the usual adversarial licensing restrictions.

• SCM

Source Code Management. Also known as a code repo / repository / version control system. The method used by developers to store their source code and track changes to code. SCM helps resolve conflicts when merging updates from multiple contributors. GitHub is an example of a common SCM system.

• SDLC

Software Development Life Cycle. A process followed by a development team describing how to develop and maintain software.

• Security policy

A set of criteria for evaluating open-source vulnerabilities. Security policies enable you to set custom rules to prioritize or de-prioritize specific vulnerabilities automatically. The MetaTrust Default Security Policy is enabled by default, or you can create your security policy. See Security policies.

• Severity

A severity level is applied to a vulnerability or a license issue, to indicate the risk for that item in an application. See Severity levels.

V

• Vulnerability

A security vulnerability identified by MetaScan. See Fixing vulnerabilities.