Terms and definitions for Polaris

Application
A collection of up to five projects (depending on the subscription purchased) and up to 1 million lines of code. The application is the organizing principal in Polaris. Code projects have to be part of an application, and users are associated with one or more applications, where they're allowed to test and view results.
Application Admin
Manages access and settings for one or several application. The Application Admin lack access to some of an organization's applications. (Not to be confused with the Organization Application Manager, who can access all Applications and Projects.)
Audit Log
Tracks system changes from the user interface and APIs.
BDSA
Black Duck® Security Advisory. A feed of vulnerability reference numbers maintained by the Black Duck Cybersecurity Research Center (CyRC).
Component origin
Where an open-source software component comes from, such as a repository or package manager.
Component origin
Where an open-source software component comes from, such as a repository or package manager.
Contributor
An application-level role that frequently scans code and triages issues.
CVE®
Common vulnerabilities and exposures. A system that provides reference numbers to publicly known information security vulnerabilities. Maintained by the National Cybersecurity FFRDC.
CWE™/SANS
Common weakness enumeration. A list of frequently occurring defects in software and hardware security, maintained by the National Cybersecurity FFRDC.
DAST
Dynamic application security testing. DAST describes solutions that test a target application for vulnerabilities while it's running, without knowledge of the application's architecture or source code.
Direct dependency
A direct dependency is a package your project requires to run and compile (typically, managed with package managers like pip, npm, ... etc.). It is possible for a package to be both a direct and transitive dependency.
Entitlement
The ability to use a specific type of test or set of tests with a particular subscription. The entitlements in a subscription control the types and quantities of tests a subscription can run.
Fix-by date
A date by which an issue must be fixed to comply with an organization's security policies.
Issue
Any defect or vulnerability in software. Usually used to describe issues detected by a test.
Issue Policy
A policy that automates actions when issues with specific properties are detected in a test, and can apply fix-by dates to issues detected in a test.
Match Score
Each component captured in a signature analysis test is compared with a copy of the component in the Black Duck knowledge base to generate a (percentage) match score. A higher match score indicates a closer match, and a lower match score indicates a component was modified. Precise match scores only appear for components identified in signature analysis tests; the match score for a component identified in a package manager test will always be 100%.
Member
An application-level role that frequently scans code and triages issues. Contributors and members have similar permissions in Polaris, but members cannot create, update, or delete projects.
Observer
An application-level role able to review and monitor ongoing tests, test results, and issues in all projects belonging to the application, as well as view dashboards showing the status of the application and its projects.
Organization Admin
The user in your organization who has access to all the functions of Polaris and can access all the applications and projects. An Org Admin sets up your organization and invites other users to begin using Polaris. An organization must have at least one Org Admin.
Organizaiton Application Manager
A user in your organization who can create, delete, and modify applications. The Organization Application manager has access to all applications and projects in an organization. (Not to be confused with the Application Admin, who owns one or several applications but might lack access to others.)
OWASP®
Open Web Application Security Project. A non-profit foundation that focuses on application security.
Portfolio
A portfolio contains all the applications owned by an organization. Every organization has exactly one portfolio.
Portfolio item
At present, the same as an application. In the future this could change, if portfolios begin to contain items other than applications (e.g. web apps, networks, etc.)
Portfolio subitem
At present, the same as a project. In the future this term could apply to other test targets, if portfolios begin to contain items other than applications, enclosing subitems other than projects.
Project
A project is a discrete body of code associated with a parent application. A project can contain the entire application or can be one submodule in a larger application. It might correspond to one repository, but doesn't have to. Each project includes a default branch, and may include more (non-default) branches. A test always runs on a single branch of a project (and issues captured in tests are linked to the branch and project).
SAST
Static application security testing. A solution that analyzes source code without executing it and finds security vulnerabilities. Coverity is one example a SAST tool.
SCA
Software composition analysis. SCA describes solutions that scan code and detect the presence of known software libraries written either by open-source projects or vendors. After scanning code, an SCA application helps to manage any security, quality, and license compliance risks associated with the libraries it discovered.
Subscription
A subscription is a license that allows an organization to run tests in Polaris. The entitlements in a subscription control the types and quantities of tests a subscription can run.
Test
Execution of a tool or the attempt to execute a tool in Polaris.
Test Scheduling Policy
A policy that automates tests of SCM-integrated projects or branches on a weekly or daily basis.
Transitive dependency
Transitive dependencies are packages that aren't directly referenced in your project, but rather, are packages that are referenced by your project's direct dependencies. It is possible for a package to be both a direct and transitive dependency.
Triage
Involves the decision to dismiss an issue, or not. When issues are dismissed by a member of your team, the potential reasons are False Positive, Intentional, and Other (requires an explanatory comment). You can use traige to manually set, change, or clear fix-by dates.