Software Supply-Chain Security Glossary

A quick reference. Each term links to a deeper explainer where one exists.

• Dependency, third-party code your software includes; transitive dependencies are your dependencies' dependencies.
• Typosquatting, malicious package with a look-alike name.
• Dependency confusion, public package hijacking a private/internal name.
• Install script, code that runs at install time (postinstall, setup.py).
• Maintainer/account takeover, hijacking the account that publishes a trusted package.
• Known vs novel, already-documented threats vs ones no feed has listed yet.
• IOC, indicator of compromise (IP, domain, hash, wallet…).
• Obfuscation, techniques to hide a payload.
• Reachability, whether your app actually invokes vulnerable code.
• SBOM, Software Bill of Materials; an inventory of components.
• VEX, machine-readable "is this exploitable here?" statement.
• Provenance / SLSA, verifiable build origin & integrity.
• Registry firewall, gateway that vets packages before install.
• CVE, a public identifier for a known vulnerability.
• OSV, an open, aggregated vulnerability database spanning many ecosystems.
• MITRE ATT&CK, shared catalogue of adversary tactics & techniques.

Start with Supply-Chain Security 101 →