---
component: provenance-governor
version: "1.7"
slug: provenance-governor/attestation-dependency-insights
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-dependency-insights/"
title: "Dependency Insights Predicate"
description: "Reference for the Dependency Insights attestation predicate."
keywords:
  - "attestation"
  - "supply chain"
  - "API"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Dependency Insights Predicate

<a id="preamble"></a>

<a id="dependency-insights-predicate"></a>

Predicate Type URI: `[https://policies.gradle.com/dependency-insights/v1](https://policies.gradle.com/dependency-insights/v1)`

Provides prioritized risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data.

Fields:

*   `forAttestationUri` (URI string) - Link to the source `Resolved Dependencies` attestation that was analyzed.
    
*   `sourcedFromUrn` (string) - Unique context-based URN identifying the data source (e.g., `urn:dependency-insights:osi:osv:build-gate`).
    
*   `verifiedTime` (string) - Timestamp when the insights were generated (ISO 8601).
    
*   `purls` (map of strings to objects) - A map where keys are dependency pURLs and values are insight objects:
    
    *   `versions` (object) - A "Hygiene Map" of version information.
        
        *   `current` (object) - Information about the analyzed version.
            
            *   `version` (string) - The version string.
                
            *   `publishedTime` (string, optional) - ISO 8601 timestamp of publication.
                
            
        *   `latestPatch`, `latestMinor`, `latestMajor` (object, optional) - Information about available upgrades.
            
            *   `version` (string) - The available version.
                
            *   `publishedTime` (string) - ISO 8601 timestamp of publication.
                
            *   `vulnerabilitiesRemainingAfterUpgrade` (int) - The number of known security advisories remaining after applying this upgrade.
                
            
        
    *   `licenses` (array of strings) - List of licenses associated with this version (e.g., `["Apache-2.0", "MIT"]`).
        
    *   `vulnerabilities` (array of strings) - Vulnerability IDs affecting this PURL. Each ID is a key into the top-level `vulnerabilities` map where full details are available.
        
    
*   `vulnerabilities` (map of strings to objects) - Deduplicated vulnerability details keyed by ID. A single vulnerability affecting multiple PURLs appears once here, referenced by ID from each per-purl entry. Each value contains:
    
    *   `id` (string) - Vulnerability identifier (e.g., `GHSA-j9hv-9w6f-4hcq`).
        
    *   `summary` (string) - Brief description of the vulnerability.
        
    *   `publishedTime` (string, optional) - ISO 8601 timestamp of when the vulnerability was first disclosed.
        
    *   `modifiedTime` (string, optional) - ISO 8601 timestamp of when the vulnerability record was last updated.
        
    *   `severity` (array of objects) - Quantitative risk data.
        
        *   `type` (string) - Scoring system used (e.g., `CVSS_V3`).
            
        *   `score` (string) - The full vector string (e.g., `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`).
            
        *   `baseScore` (number, optional) - The calculated numeric score (0.0–10.0), providing a sensible default for policies.
            
        
    

```json
{
  "forAttestationUri": "https://provenance-governor.example.com/packages/maven/org.slf4j/slf4j-api/1.7.30/sha256:5891b80220204d09292/attestations/production/61604",
  "sourcedFromUrn": "urn:dependency-insights:osi:osv:production-cluster",
  "verifiedTime": "2026-02-19T10:00:00Z",
  "purls": {
    "pkg:maven/org.slf4j/slf4j-api@1.7.30": {
      "versions": {
        "current": {
          "version": "1.7.30",
          "publishedTime": "2020-02-19T10:00:00Z"
        },
        "latestPatch": {
          "version": "1.7.31",
          "publishedTime": "2021-06-17T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        },
        "latestMinor": {
          "version": "1.9.3",
          "publishedTime": "2022-01-02T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        },
        "latestMajor": {
          "version": "3.2.5",
          "publishedTime": "2025-10-10T12:00:00Z",
          "vulnerabilitiesRemainingAfterUpgrade": 0
        }
      },
      "licenses": ["MIT"],
      "vulnerabilities": ["GHSA-j9hv-9w6f-4hcq"]
    }
  },
  "vulnerabilities": {
    "GHSA-j9hv-9w6f-4hcq": {
      "id": "GHSA-j9hv-9w6f-4hcq",
      "summary": "Deserialization of Untrusted Data in org.slf4j",
      "publishedTime": "2022-01-15T09:00:00Z",
      "modifiedTime": "2023-06-20T14:30:00Z",
      "severity": [
        {
          "type": "CVSS_V3",
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 9.8
        }
      ]
    }
  }
}
```

<a id="secure-and-up-to-date-example"></a>

## Secure and Up-to-date Example

When a dependency has no known vulnerabilities and no newer versions are available, the `vulnerabilities` list is empty, and only the `current` version is present in the `versions` map.

```json
{
  "purls": {
    "pkg:maven/com.gradle/dpg-api@1.0.0": {
      "versions": {
        "current": {
          "version": "1.0.0",
          "publishedTime": "2026-02-19T10:00:00Z"
        }
      },
      "licenses": ["Apache-2.0"],
      "vulnerabilities": []
    }
  }
}
```