From MergeBase’s perspective, an Application is a collection of components grouped under a single name in the MergeBase dashboard. An Application's list of components typically evolves over time as component versions are upgraded.

Binary Scan
A scan produced from compiled Java files (e.g. .jar, .war) and .NET DLLs.

The MergeBase dashboard allows users to block entire components and/or suspicious methods within running applications. When blocked, methods and components cannot execute any of their internal logic. This feature is currently only available when MergeBase is applied against Java and Bytecode based applications.

CLT (Command Line Tool)
The MergeBase CLT (Command Line Tool) is a Java application (“mergebase.jar”) that users can download from their MergeBase dashboard. The majority of MergeBase’s application security features require the CLT. To invoke the CLT after downloading it type “java -jar mergebase.jar” at a command prompt.

From MergeBase’s perspective, a component is another word for “open source library”, “shared library”, “jar file”, “dll”, “software module”, etc. A component is essentially a piece re-useable 3rd-party code that developers can import into their systems. Components generally have a name and a version. Sometimes components have known-vulnerabilities associated with some of their versions.

CVE stands for “Common Vulnerabilities and Exposures,” but more importantly, CVEs represent individual records in NIST’s National Vulnerability Database. These records are the primary way software vendors communicate and coordinate patching of known-vulnerabilities with the public.

The MergeBase CLT allows users to “inoculate” Java Jar files. Inoculation is accomplished via bytecode rewriting. After inoculation the Jar files begin communicating with the MergeBase dashboard during their next execution, helping security analysts monitor and manage known-vulnerabilities affiliated with these Jar files in real time.

Inoculated Application
An “Inoculated App” is a Java application where its jar files have been inoculated by the MergeBase CLT.

A “License” represents an open-source license (or collection of licenses) associated with a component. For example, “Apache 2.0” is one such license.

Risk Score
The MergeBase risk-score is the largest CVSSv3 score (or CVSSv2 if CVSSv3 is not available) observed across all vulnerabilities associated with a component or application.

Source Scan
A scan from source using the project build files (e.g. Maven, Gradle, NPM, etc).

Vulnerabilities that are not interesting (e.g., false positives or low priority issues) can be “suppressed” or “ignored” temporarily via the MergeBase dashboard.

Suspicious Method
A suspicious method represents a single function within a software library that MergeBase has associated with a known vulnerability.