Concepts

A vulnerability is primarily a name for ensuring all advisories are discussing the same thing. Generally, most vulnerabilities come from the CVE Project, with the format of CVE-2024-1234.

Within the database, Trustify adds the vulnerability when discovering an advisory mentioning it.

A CVE Record from National Institute of Standards and Technology (NIST)/National Vulnerabilities Database (NVD) is a low-value advisory that is generally the first discovered advisory that mentions a vulnerability.

An advisory is an opinion about a vulnerability.

These opinions include the context to which the opinions apply. These opinions include evaluation of the severity and scoring of a vulnerability within that context, such as Common Vulnerability Scoring System (CVSS) scores.

As mentioned above, a CVE Record from the CVE Project is a low-value advisory that mentions the vulnerability and provides a base opinion about it. It might include CVSS scores, within the context of the abstract origin containing the vulnerability. This might be simply in reference to the vulnerability as it exists in source-code form.

Other, more-involved stakeholders, such as, product vendors, upstream project owners, might issue additional advisories. These opinions might be in reference to concrete, shipped products, contextualized to how the vulnerable code is actually used.

An SBOM is a source-of-someone’s-truth about "what’s inside it?", so everything in our DB is ultimately sourced from some source-of-truth. We cannot really say definitively "product X is composed of A1, A2 + A3". Instead, we can have multiple simultaneous statements — SBOM’s — from multiple people saying "product X is claimed by Bob to be A1 + A2" and "product X is claimed by Jim to be A1 + A97". So an SBOM is the entity to track the origin of the supposed "evidence" of assertional statements about products…​ about packages…​ about vulnerabilities…​

A package is an atomic artifact or component. Packages can be addressed using pURLs. A package can be described by an SBOM describing how it is created and its contents. A package can certainly contain other packages. For example, shading one Java jar into another. A package can also be the sole member of a product. For example UBI-8.0.13-x86.oci can be the singular package within the "UBI 8.0.13-x86" product. A package is one step more abstract than an artifact.

A product is a named collection of 1 or more packages for a concrete shippable thing.

Products can be addressed using Common Platform Enumerations (CPE) or some other future identification method. A product can be described by an SBOM describing its components, which might be other products or packages, or their SBOMs.

Red Hat Enterprise Linux 8 might be a product stream. Red Hat Enterprise Linux 8.2.03 PowerPC might be a concrete product distinct from Red Hat Enterprise Linux 8.2.03 AArch64.

For a given package, there can be zero or more instances of that package. Given log4j-1.2.3.jar, seventeen different people could compile the same source with the same arguments, and still end up with 17 distinct Java jars, due to non-reproducible builds. Each is an artifact of the same package. Each might, and most likely will, have its own SHA-256 related to it.

Consider an artifact to be a concrete instance of a package.