Dependency Insights Predicate

Predicate Type URI: https://policies.gradle.com/dependency-insights/v1

Provides prioritized risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data.

Fields:

forAttestationUri (URI string) - Link to the source Resolved Dependencies attestation that was analyzed.
sourcedFromUrn (string) - Unique context-based URN identifying the data source (e.g., urn:dependency-insights:osi:osv:build-gate).
verifiedTime (string) - Timestamp when the insights were generated (ISO 8601).
purls (map of strings to objects) - A map where keys are dependency pURLs and values are insight objects:
- versions (object) - A "Hygiene Map" of version information.
  - current (object) - Information about the analyzed version.
    
    version (string) - The version string.
    
    publishedTime (string, optional) - ISO 8601 timestamp of publication.
  - latestPatch, latestMinor, latestMajor (object, optional) - Information about available upgrades.
    
    version (string) - The available version.
    
    publishedTime (string) - ISO 8601 timestamp of publication.
    
    vulnerabilitiesRemainingAfterUpgrade (int) - The number of known security advisories remaining after applying this upgrade.
- licenses (array of strings) - List of licenses associated with this version (e.g., ["Apache-2.0", "MIT"]).
- vulnerabilities (array of objects) - Known security vulnerabilities for this PURL.
  - id (string) - Vulnerability identifier (e.g., GHSA-j9hv-9w6f-4hcq).
  - summary (string) - Brief description of the vulnerability.
  - severity (array of objects) - Quantitative risk data.
    
    type (string) - Scoring system used (e.g., CVSS_V3).
    
    score (string) - The full vector string (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

{
  "forAttestationUri": "https://provenance-governor.example.com/packages/maven/org.slf4j/slf4j-api/1.7.30/sha256:5891b80220204d09292/attestations/production/61604",
  "sourcedFromUrn": "urn:dependency-insights:osi:osv:production-cluster",
  "verifiedTime": "2026-02-19T10:00:00Z",
  "purls": {
    "pkg:maven/org.slf4j/slf4j-api@1.7.30": {
      "versions": {
        "current": {
          "version": "1.7.30",
          "publishedTime": "2020-02-19T10:00:00Z"
        },
        "latestPatch": {
          "version": "1.7.31",
          "publishedTime": "2021-06-17T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        },
        "latestMinor": {
          "version": "1.9.3",
          "publishedTime": "2022-01-02T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        },
        "latestMajor": {
          "version": "3.2.5",
          "publishedTime": "2025-10-10T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        }
      },
      "licenses": ["MIT"],
      "vulnerabilities": [
        {
          "id": "GHSA-j9hv-9w6f-4hcq",
          "summary": "Deserialization of Untrusted Data in org.slf4j",
          "severity": [
            {
              "type": "CVSS_V3",
              "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
          ]
        }
      ]
    }
  }
}

Secure and Up-to-date Example

When a dependency has no known vulnerabilities and no newer versions are available, the vulnerabilities list is empty, and only the current version is present in the versions map.

{
  "purls": {
    "pkg:maven/com.gradle/dpg-api@1.0.0": {
      "versions": {
        "current": {
          "version": "1.0.0",
          "publishedTime": "2026-02-19T10:00:00Z"
        }
      },
      "licenses": ["Apache-2.0"],
      "vulnerabilities": []
    }
  }
}