DependencyScoring Policy

The DependencyScoring policy scores dependency health using a 2-category SLO compliance model. It evaluates DependencyInsights attestations produced during a Policy Scan™ and provides a weighted overall score, per-category breakdowns, and achievement tier placement.

A configurable baseline gate determines whether the policy evaluation is satisfied or unsatisfied.

Scoring Model

Categories

Category Description

VULNERABILITY

Binary SLO compliance per CVE. Each vulnerability is checked against a per-severity time-to-fix SLO. Fix availability is verified — vulnerabilities with no available upgrade on any carrying PURL are skipped. When the same CVE appears on multiple PURLs matching different rules, the strictest rule wins (shortest non-zero SLO for that severity).

UPGRADE

Binary SLO compliance per PURL. Each dependency is checked against a strategy-controlled upgrade SLO (PATCH, MINOR, or MAJOR). A PATCH strategy only penalizes if a patch upgrade exists; MINOR penalizes if a patch or minor exists; MAJOR penalizes if any upgrade exists.

Each category score is calculated as: round(100 * compliant / total_scoreable). If there are no scoreable items, the category scores 100.

Overall Score

The overall score is a weighted combination of category scores:

round((vulnerabilityScore * vulnerabilityWeight + upgradeScore * upgradeWeight) / 100)

Baseline Gate

The baseline field (0–100, default 0) sets the minimum acceptable score:

  • Score >= baseline = satisfied

  • Score < baseline = unsatisfied

A baseline of 0 means scoring is informational — the policy always passes.

Achievement Tiers

Customer-defined tiers provide named score ranges for graduated maturity reporting. The evaluation result includes the achieved tier (highest tier where score >= minScore) and the next tier with points needed to reach it.

Spec Fields

baseline (int, optional)

Minimum score for satisfied status. Default: 0.

description (string, optional)

Human-readable description of the policy.

remediation (string, optional)

Guidance for resolving a failure.

tiers (array, optional)

Achievement tiers, each with:

name

Tier name (e.g., Platinum).

minScore

Minimum overall score to achieve this tier.

weightRules (object, optional)

Category weight configuration.

categoryWeights

Map of category name to weight (integer). VULNERABILITY and UPGRADE must sum to 100. Default: 50/50.

scoringRules (object, optional)

Per-category rule definitions.

vulnerability

Array of vulnerability rules, evaluated in order (first match wins per PURL):

purlPatterns

Array of glob patterns to match PURLs (e.g., pkg:maven/org.apache/**).

slo

Per-severity time-to-fix SLO:

critical:

Duration for CVSS >= 9.0 (e.g., 72h, 3d).

high:

Duration for CVSS >= 7.0.

medium:

Duration for CVSS >= 4.0.

low:

Duration for CVSS < 4.0. Set to 0 to ignore.

reason

Optional explanation for this rule.

upgrade

Array of upgrade rules, evaluated in order (first match wins per PURL):

purlPatterns

Array of glob patterns to match PURLs.

strategy

Upgrade level to enforce: PATCH, MINOR, or MAJOR.

slo

Duration within which the upgrade must be applied (e.g., 90d).

reason

Optional explanation for this rule.

Example Configuration

apiVersion: policy.gradle.com/v1
kind: DependencyScoring
metadata:
  name: fintech-dependency-scoring
  labels:
    team: platform
spec:
  description: "Fintech: strict vulnerability SLOs"
  remediation: "Review dependency health dashboard"
  baseline: 80
  tiers:
    - name: Platinum
      minScore: 95
    - name: Gold
      minScore: 90
    - name: Silver
      minScore: 75
    - name: Bronze
      minScore: 60
  weightRules:
    categoryWeights:
      VULNERABILITY: 50
      UPGRADE: 50
  scoringRules:
    vulnerability:
      - purlPatterns:
          - "pkg:maven/org.apache/**"
        slo:
          critical: 72h
          high: 14d
          medium: 30d
          low: 0
        reason: "Apache deps are critical path"
      - purlPatterns:
          - "**"
        slo:
          critical: 7d
          high: 30d
          medium: 90d
          low: 0
    upgrade:
      - purlPatterns:
          - "pkg:maven/com.example/**"
        strategy: PATCH
        slo: 30d
        reason: "Internal libs must stay current"
      - purlPatterns:
          - "**"
        strategy: PATCH
        slo: 90d

Default Behavior

When no explicit DependencyScoring policy matches a Policy Scan, Develocity Provenance Governor auto-injects a default scoring policy with the following settings:

  • Baseline: 0 (always satisfied — scoring is informational)

  • Weights: 50/50 (VULNERABILITY and UPGRADE equally weighted)

  • Vulnerability SLOs: Critical = 72h, High = 14d, Medium = 30d, Low = ignored

  • Upgrade rule: PATCH strategy, 90-day SLO, catch-all ** pattern

  • Tiers: Platinum (95), Gold (85), Silver (70), Bronze (50)

Evaluation Result

Policy Scan results for a DependencyScoring policy include a details object with the following fields:

  • score (int) — Weighted overall score (0–100).

  • vulnerabilityScore (int) — Vulnerability category score.

  • upgradeScore (int) — Upgrade category score.

  • appliedWeights (object) — The weights used for each category.

  • achievedTier (string, nullable) — Name of the highest achieved tier.

  • nextTier (string, nullable) — Name of the next tier above the current score.

  • pointsToNextTier (int) — Points needed to reach the next tier.

  • breakdown (array) — Individual non-compliance deductions, each containing:

    • kindVULNERABILITY_NON_COMPLIANCE or UPGRADE_NON_COMPLIANCE.

    • description — Human-readable summary.

    • vulnerabilityId or purl — The affected CVE or dependency.

    • severity — CVSS severity (vulnerability deductions only).

    • strategy — Upgrade strategy (upgrade deductions only).

    • recommendedUpgrade — Most conservative available upgrade version.

    • sloDuration — The SLO that was exceeded.

    • daysOverSlo — Number of days past the SLO.

    • reason — The rule’s configured reason, if any.

Example evaluation result
{
  "score": 72,
  "vulnerabilityScore": 45,
  "upgradeScore": 85,
  "appliedWeights": {
    "VULNERABILITY": 50,
    "UPGRADE": 50
  },
  "achievedTier": "Silver",
  "nextTier": "Gold",
  "pointsToNextTier": 18,
  "breakdown": [
    {
      "kind": "VULNERABILITY_NON_COMPLIANCE",
      "description": "Non-compliant: CVE-2024-1234 on pkg:maven/org.example/lib@1.0.0 (CRITICAL, 7 days over SLO)",
      "points": 1,
      "vulnerabilityId": "CVE-2024-1234",
      "purl": "pkg:maven/org.example/lib@1.0.0",
      "severity": "CRITICAL",
      "recommendedUpgrade": "1.0.1",
      "sloDuration": "PT72H",
      "daysOverSlo": 7,
      "reason": "Apache deps are critical path"
    },
    {
      "kind": "UPGRADE_NON_COMPLIANCE",
      "description": "Non-compliant: pkg:maven/org.example/lib@1.0.0 (PATCH upgrade to 1.0.1, 10 days over SLO)",
      "points": 1,
      "purl": "pkg:maven/org.example/lib@1.0.0",
      "strategy": "PATCH",
      "recommendedUpgrade": "1.0.1",
      "sloDuration": "PT2160H",
      "daysOverSlo": 10,
      "reason": ""
    }
  ]
}