# Glossary A reference of key terms used throughout Certifai. ## Security Terms **SAST (Static Application Security Testing)** Analysis of source code to find vulnerabilities without running the application. Certifai uses Semgrep for SAST scanning. **DAST (Dynamic Application Security Testing)** Testing a running application by sending crafted requests and analyzing responses. Finds vulnerabilities that only appear at runtime. **SBOM (Software Bill of Materials)** A complete inventory of all software components (libraries, packages, frameworks) that your application depends on, including versions and licenses. **CVE (Common Vulnerabilities and Exposures)** A standardized identifier for publicly known security vulnerabilities. Each CVE has a unique ID (e.g. CVE-2024-1234) and is tracked in the National Vulnerability Database. **False Positive** A finding that is flagged as a vulnerability by a scanner but is not actually a security issue in context. For example, a SQL injection warning on a query that uses parameterized statements correctly. **Triage** The process of reviewing a security finding and deciding what to do with it: confirm it as real, mark it as a false positive, or accept the risk and ignore it. **Fingerprint** A unique hash generated for each finding based on the scanner, file path, line number, and vulnerability type. Used for deduplication so the same issue is not reported twice. **Confidence Score** A value from 0.0 to 1.0 assigned by the AI triage engine, indicating how certain the LLM is about its assessment of a finding. **CWE (Common Weakness Enumeration)** A community-developed list of software and hardware weakness types. Findings often reference a CWE ID to categorize the type of vulnerability. **CVSS (Common Vulnerability Scoring System)** A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. ## License Terms **Copyleft License** A license that requires derivative works to be distributed under the same license terms. Examples: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0. **Permissive License** A license that allows broad freedom to use, modify, and distribute software with minimal restrictions. Examples: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC. ## Standards and Formats **CycloneDX** An OWASP standard for SBOM formats. Certifai supports export in CycloneDX 1.5 JSON format. **SPDX (Software Package Data Exchange)** A Linux Foundation standard for communicating software bill of materials information. Certifai supports export in SPDX 2.3 format. ## Tools **Semgrep** An open-source static analysis tool that finds bugs and enforces code standards using pattern-matching rules. Used by Certifai for SAST scanning. **Syft** An open-source tool for generating SBOMs from container images and filesystems. Used by Certifai to extract dependency information. **Grype** An open-source vulnerability scanner for container images and filesystems. Used by Certifai to match dependencies against known vulnerabilities. ## Protocols **MCP (Model Context Protocol)** An open standard that allows LLM-powered tools to connect to external data sources and call tools. Certifai exposes security data through MCP so AI assistants can query findings, SBOMs, and DAST results. **PKCE (Proof Key for Code Exchange)** An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. Used in Certifai's authentication flow.