Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/terminology/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/terminology/index.md')
-rw-r--r--doc/user/application_security/terminology/index.md19
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/user/application_security/terminology/index.md b/doc/user/application_security/terminology/index.md
index 5c2dbd8d728..0f0a61a2b02 100644
--- a/doc/user/application_security/terminology/index.md
+++ b/doc/user/application_security/terminology/index.md
@@ -35,6 +35,11 @@ The different places in an application that are vulnerable to attack. Secure pro
search the attack surface during scans. Each product defines the attack surface differently. For
example, SAST uses files and line numbers, and DAST uses URLs.
+## Component
+
+A software component that makes up a portion of a software project. Examples include libraries, drivers, data, and
+[many more](https://cyclonedx.org/docs/1.5/json/#components_items_type).
+
## Corpus
The set of meaningful test cases that are generated while the fuzzer is running. Each meaningful
@@ -105,6 +110,12 @@ under development and tracked in issue [267588](https://gitlab.com/gitlab-org/gi
A legitimate finding that a particular customer doesn't care about.
+## Known affected component
+
+A component that matches the requirements for a vulnerability to be exploitable. For example,
+`packageA@1.0.3` matches the name, package type, and one of the affected versions or version
+ranges of `FAKECVE-2023-0001`.
+
## Location fingerprint
A finding's location fingerprint is a text value that's unique for each location on the attack
@@ -217,6 +228,14 @@ table.package-managers-and-types ul {
A page that displays findings discovered in the associated CI pipeline.
+## Possibly affected component
+
+A software component that is possibly affected by vulnerability. For example, when scanning a
+project for known vulnerabilities, components are first evaluated to see if they match the name
+and [package type](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst).
+During this stage, they're _possibly_ affected by the vulnerability, and are only [known to be affected](#known-affected-component)
+after it's confirmed that they fall in the affected version range.
+
## Post-filter
Post-filters help reduce noise in the scanner results and automate manual tasks. You can specify criteria that updates
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 08:58:39 +0300