Glossary.

A — D

Attack-path graph — Force-directed graph from a vulnerable dependency through your import graph to a sink (sensitive API) and on to an HTTP entry point. Lets us score not just “is there a CVE” but “can a request to your service reach the vulnerable code.”

CISA KEV — Known Exploited Vulnerabilities catalogue maintained by US-CISA. A CVE on this list is being exploited in the wild today. Highest-confidence exploitability signal.

cgroup-BPF — eBPF programs attached to a kernel cgroup. The runtime agent uses cgroup-BPF connect4 and connect6 hooks in enforce mode to deny non-allowlisted egress before the syscall returns. Callers see a standard EPERM.

CO-RE — “Compile Once, Run Everywhere.” A technique for writing BPF programs that work across kernel versions using BTF (BPF Type Format) records. Lets the agent ship as a single binary that runs on every modern Linux kernel.

CycloneDX — SBOM (software bill of materials) format from OWASP. dpndncY emits CycloneDX 1.5 on every scan.

Dependency Firewall — Package-manager admission-control proxy. Refuses risky packages before they enter your dependency tree. Lives between your developers/CI and the public registries (npm, PyPI, etc.).

DSSE — Dead Simple Signing Envelope. A signing format that wraps any payload (we use in-toto Statements) with a signature and a payload-type URL. dpndncY uses DSSE over RSA-2048 (RS256) by default.

E — L

eBPF — Extended Berkeley Packet Filter. A Linux kernel technology that lets userspace programs attach safe, verified bytecode to kernel hooks. The runtime agent uses four eBPF programs.

EPSS — Exploit Prediction Scoring System (first.org). A daily-updated probability (0.00 – 1.00) that a given CVE will be exploited in the next 30 days. Pairs well with KEV.

ExploitDB — Public database of known exploits keyed by CVE. Presence of one or more public exploits is a strong “real-world exploitable” signal.

EWF — Exploit Window Forecast. dpndncY proprietary model that estimates days-until-public-exploit for a given CVE, using EPSS trajectory and historical patterns.

GHSA — GitHub Security Advisory. GitHub’s curated advisory database. Often the first place an ecosystem-specific advisory lands. We correlate alongside OSV and NVD.

in-toto — Open framework for supply-chain attestations. We emit in-toto v1 Statements (predicateType + subject + predicate) wrapped in DSSE envelopes.

JWS — JSON Web Signature. The signed-evidence format used for some firewall decisions where DSSE would be overkill. Verifies the same way against the public key.

KEV — see CISA KEV.

Kernel hook (a.k.a. runtime probe) — A point in the Linux kernel where a userspace program can register a callback to observe or intercept a syscall. The runtime agent attaches four: connect, exec, security_file_open, getaddrinfo.

M — R

NVD — National Vulnerability Database (US-NIST). Authoritative CVE record store. We correlate against NVD for every finding.

OSV — Open Source Vulnerabilities. Google-maintained advisory format and database with strong ecosystem coverage. Primary feed for dpndncY SCA.

Reachability — Whether the vulnerable symbol in a dependency is actually called from your code. AST + call-graph traversal. For JS/TS and Python today.

RSA-2048 — Signing key size used by default for the per-tenant keypair. Optionally RSA-4096.

RS256 — RSASSA-PKCS1-v1_5 with SHA-256. The DSSE signing algorithm we use by default.

S — Z

SARIF — Static Analysis Results Interchange Format (OASIS). dpndncY emits SARIF 2.1.0 for SAST findings, ingestible by GitHub code-scanning, GitLab, IDEs, etc.

SBOM — Software Bill of Materials. List of every component in a build. We emit CycloneDX 1.5 and SPDX.

Sigstore-keyless — Optional signing mode where the keypair is generated per-call by Fulcio (a CA) under an OIDC identity, and the signature is logged to Rekor (a transparency log). No long-lived key to manage.

SLSA — “Supply-chain Levels for Software Artifacts.” Industry framework for supply-chain integrity. dpndncY runtime traces conform to SLSA in-toto v1 Statements.

SPDX — Software Package Data Exchange. Alternative SBOM format. We emit both CycloneDX and SPDX.

Trust delta — dpndncY proprietary signal. Compares the trust score of the requested package version against the last approved one for the same package. A drop above the configured threshold triggers a block — catches typosquats, takeovers, maintainer rotations that absolute thresholds miss.

uprobe — User-space probe. eBPF attachment point in a userspace library (e.g. libc getaddrinfo). The DNS hook is a uprobe.