Software Vulnerability acronyms

software-vulnearbility-acronyms.md

• SAST: Static application security testing (e.g: findsecuritybugs, Semgrep)
• CVE: Common Vulnerabilities and Exposures
• SBOM: Software Bill Of Materials
• SPDX: Software Package Data Exchange (popular SBOM format, focus on license)
• CDX: CycloneDX (popular SBOM format, very versatile)
• SCA: Software Composition Analysis (e.g: Dependency Track, Snyk, BlackDuck, etc.)
• CWE: Common Weakness Enumeration (see https://cwe.mitre.org/)
• NVD: National Vulnerability Database (see https://nvd.nist.gov/)
• NIST: National Institute of Standards and Technology at the U.S. Department of Commerce
• CNA: CVE Numbering Authority (e.g. Apache Foundation, IBM, VMWare, etc.)
• CVSS: Common Vulnerability Scoring System (see: https://www.first.org/cvss/calculator/)
• PURL: Package URL (such as: pkg:maven/org.springframework.cloud/[email protected])
• CPE: Common Platform Enumeration (such as: cpe:2.3:a:vmware:spring_cloud_bindings:2.0.0:*:*:*:*:*:*:*)
• VEX: Vulnerability Exploitability eXchange
• GHSA: Github Security Advisory
• OSV: Open Source Vulnerabilities