# Glossary

As you slowly enter the world of cybersecurity, license-compliance and dependency health it could be useful to understand some basic terminology and concepts. Here is a useful resource list combining both our own content and others. A lot of these are used throughout our tool and this documentation.

# CVE

Common Vulnerability Enumeration - This is a vulnerability published in an open database by NVD, with an assigned vulnerability ID known as CVE ID. Examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271).

# CVSS

Common Vulnerability Scoring System - An open framework for describing the severity of vulnerabilities, where each vulnerability is given a score between 0 and 10, 10 being critical.

# CWE

Common Weakness Enumeration - This is a weakness, either in software or in hardware, that may be exploited in a specific system. The CWE list is a tree hierarchy with different levels of abstraction. An example of a CWE tree chain, from high to low abstraction, may look like this: "Improper Restriction of Operations within the Bounds of a Memory Buffer" (CWE-119) -> "Buffer Copy without Checking Size of Input" (CWE-120) -> "Stack-based Buffer Overflow" (CWE-121).

# CPE

Common Platform Enumeration - This is a naming scheme for IT systems, software, and packages. An example of a CPE string for the React framework, version 16, is cpe:2.3:a:facebook:react:16.0.0:*:*:*:*:*:*:*.

# npm

Node Package Manager - A package manager for JavaScript consisting of a command line client npm along with an online database of packages known as the npm registry. npm handles local dependencies as well as global JavaScript tools. As of 2020, npm has joined forces with GitHub.

# NVD

National Vulnerability Database - An open database, managed by the U.S. government, for management of vulnerabilities. The information displayed is an aggregation of multiple sources along with a severity scoring using CVSS, the type of vulnerability as a CWE, and affected products as a CPE.