---
component: provenance-governor
version: "1.7"
slug: provenance-governor/policy-type-dependency-scoring
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/policy-type-dependency-scoring/"
title: "DependencyScoring Policy"
description: "Reference for the DependencyScoring policy type in Develocity Provenance Governor."
keywords: []
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# DependencyScoring Policy

<a id="preamble"></a>

<a id="dependency-scoring-policy"></a>

The `DependencyScoring` policy scores dependency health using a 2-category SLO compliance model. It evaluates `DependencyInsights` attestations produced during a Policy Scan™ and provides a weighted overall score, per-category breakdowns, and achievement tier placement.

A configurable baseline gate determines whether the policy evaluation is `satisfied` or `unsatisfied`.

<a id="scoring-model"></a>

## Scoring Model

<a id="categories"></a>

### Categories

 
| Category | Description |
| --- | --- |
| VULNERABILITY | Binary SLO compliance per CVE. Each vulnerability is checked against a per-severity time-to-fix SLO. Fix availability is verified — vulnerabilities with no available upgrade on any carrying PURL are skipped. When the same CVE appears on multiple PURLs matching different rules, the strictest rule wins (shortest non-zero SLO for that severity). |
| UPGRADE | Binary SLO compliance per PURL. Each dependency is checked against a strategy-controlled upgrade SLO (PATCH, MINOR, or MAJOR). A PATCH strategy only penalizes if a patch upgrade exists; MINOR penalizes if a patch or minor exists; MAJOR penalizes if any upgrade exists. |

Each category score is calculated as: `round(100 * compliant / total_scoreable)`. If there are no scoreable items, the category scores 100.

<a id="overall-score"></a>

### Overall Score

The overall score is a weighted combination of category scores:

`round((vulnerabilityScore * vulnerabilityWeight + upgradeScore * upgradeWeight) / 100)`

<a id="baseline-gate"></a>

### Baseline Gate

The `baseline` field (0–100, default 0) sets the minimum acceptable score:

*   Score >= baseline = `satisfied`
    
*   Score < baseline = `unsatisfied`
    

A baseline of 0 means scoring is informational — the policy always passes.

<a id="achievement-tiers"></a>

### Achievement Tiers

Customer-defined tiers provide named score ranges for graduated maturity reporting. The evaluation result includes the achieved tier (highest tier where score >= `minScore`) and the next tier with points needed to reach it.

<a id="spec-fields"></a>

## Spec Fields

**baseline (int, optional)** — Minimum score for `satisfied` status. Default: `0`.

**description (string, optional)** — Human-readable description of the policy.

**remediation (string, optional)** — Guidance for resolving a failure.

**tiers (array, optional)** — Achievement tiers, each with:

**name** — Tier name (e.g., `Platinum`).

**minScore** — Minimum overall score to achieve this tier.

**name** — Tier name (e.g., `Platinum`).

**minScore** — Minimum overall score to achieve this tier.

**weightRules (object, optional)** — Category weight configuration.

**categoryWeights** — Map of category name to weight (integer). `VULNERABILITY` and `UPGRADE` must sum to 100. Default: 50/50.

**categoryWeights** — Map of category name to weight (integer). `VULNERABILITY` and `UPGRADE` must sum to 100. Default: 50/50.

**scoringRules (object, optional)** — Per-category rule definitions.

**vulnerability** — Array of vulnerability rules, evaluated in order (first match wins per PURL):

**purlPatterns** — Array of glob patterns to match PURLs (e.g., `pkg:maven/org.apache/**`).

**slo** — Per-severity time-to-fix SLO:

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**reason** — Optional explanation for this rule.

**purlPatterns** — Array of glob patterns to match PURLs (e.g., `pkg:maven/org.apache/**`).

**slo** — Per-severity time-to-fix SLO:

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**reason** — Optional explanation for this rule.

**upgrade** — Array of upgrade rules, evaluated in order (first match wins per PURL):

**purlPatterns** — Array of glob patterns to match PURLs.

**strategy** — Upgrade level to enforce: `PATCH`, `MINOR`, or `MAJOR`.

**slo** — Duration within which the upgrade must be applied (e.g., `90d`).

**reason** — Optional explanation for this rule.

**purlPatterns** — Array of glob patterns to match PURLs.

**strategy** — Upgrade level to enforce: `PATCH`, `MINOR`, or `MAJOR`.

**slo** — Duration within which the upgrade must be applied (e.g., `90d`).

**reason** — Optional explanation for this rule.

**vulnerability** — Array of vulnerability rules, evaluated in order (first match wins per PURL):

**purlPatterns** — Array of glob patterns to match PURLs (e.g., `pkg:maven/org.apache/**`).

**slo** — Per-severity time-to-fix SLO:

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**reason** — Optional explanation for this rule.

**purlPatterns** — Array of glob patterns to match PURLs (e.g., `pkg:maven/org.apache/**`).

**slo** — Per-severity time-to-fix SLO:

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**critical:** — Duration for CVSS >= 9.0 (e.g., `72h`, `3d`).

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**high:** — Duration for CVSS >= 7.0.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**medium:** — Duration for CVSS >= 4.0.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**low:** — Duration for CVSS < 4.0. Set to `0` to ignore.

**reason** — Optional explanation for this rule.

**upgrade** — Array of upgrade rules, evaluated in order (first match wins per PURL):

**purlPatterns** — Array of glob patterns to match PURLs.

**strategy** — Upgrade level to enforce: `PATCH`, `MINOR`, or `MAJOR`.

**slo** — Duration within which the upgrade must be applied (e.g., `90d`).

**reason** — Optional explanation for this rule.

**purlPatterns** — Array of glob patterns to match PURLs.

**strategy** — Upgrade level to enforce: `PATCH`, `MINOR`, or `MAJOR`.

**slo** — Duration within which the upgrade must be applied (e.g., `90d`).

**reason** — Optional explanation for this rule.

<a id="example-configuration"></a>

## Example Configuration

```yaml
apiVersion: policy.gradle.com/v1
kind: DependencyScoring
metadata:
  name: fintech-dependency-scoring
  labels:
    team: platform
spec:
  description: "Fintech: strict vulnerability SLOs"
  remediation: "Review dependency health dashboard"
  baseline: 80
  tiers:
    - name: Platinum
      minScore: 95
    - name: Gold
      minScore: 90
    - name: Silver
      minScore: 75
    - name: Bronze
      minScore: 60
  weightRules:
    categoryWeights:
      VULNERABILITY: 50
      UPGRADE: 50
  scoringRules:
    vulnerability:
      - purlPatterns:
          - "pkg:maven/org.apache/**"
        slo:
          critical: 72h
          high: 14d
          medium: 30d
          low: 0
        reason: "Apache deps are critical path"
      - purlPatterns:
          - "**"
        slo:
          critical: 7d
          high: 30d
          medium: 90d
          low: 0
    upgrade:
      - purlPatterns:
          - "pkg:maven/com.example/**"
        strategy: PATCH
        slo: 30d
        reason: "Internal libs must stay current"
      - purlPatterns:
          - "**"
        strategy: PATCH
        slo: 90d
```

<a id="default-behavior"></a>

## Default Behavior

When no explicit `DependencyScoring` policy matches a Policy Scan, Develocity Provenance Governor auto-injects a default scoring policy with the following settings:

*   **Baseline**: 0 (always `satisfied` — scoring is informational)
    
*   **Weights**: 50/50 (`VULNERABILITY` and `UPGRADE` equally weighted)
    
*   **Vulnerability SLOs**: Critical = 72h, High = 14d, Medium = 30d, Low = ignored
    
*   **Upgrade rule**: `PATCH` strategy, 90-day SLO, catch-all `**` pattern
    
*   **Tiers**: Platinum (95), Gold (85), Silver (70), Bronze (50)
    

<a id="evaluation-result"></a>

## Evaluation Result

Policy Scan results for a `DependencyScoring` policy include a `details` object with the following fields:

*   `score` (int) — Weighted overall score (0–100).
    
*   `vulnerabilityScore` (int) — Vulnerability category score.
    
*   `upgradeScore` (int) — Upgrade category score.
    
*   `appliedWeights` (object) — The weights used for each category.
    
*   `achievedTier` (string, nullable) — Name of the highest achieved tier.
    
*   `nextTier` (string, nullable) — Name of the next tier above the current score.
    
*   `pointsToNextTier` (int) — Points needed to reach the next tier.
    
*   `breakdown` (array) — Individual non-compliance deductions, each containing:
    
    *   `kind` — `VULNERABILITY_NON_COMPLIANCE` or `UPGRADE_NON_COMPLIANCE`.
        
    *   `description` — Human-readable summary.
        
    *   `vulnerabilityId` or `purl` — The affected CVE or dependency.
        
    *   `severity` — CVSS severity (vulnerability deductions only).
        
    *   `strategy` — Upgrade strategy (upgrade deductions only).
        
    *   `recommendedUpgrade` — Most conservative available upgrade version.
        
    *   `sloDuration` — The SLO that was exceeded.
        
    *   `daysOverSlo` — Number of days past the SLO.
        
    *   `reason` — The rule’s configured reason, if any.
        
    

**Example evaluation result:**

```
{
  "score": 72,
  "vulnerabilityScore": 45,
  "upgradeScore": 85,
  "appliedWeights": {
    "VULNERABILITY": 50,
    "UPGRADE": 50
  },
  "achievedTier": "Silver",
  "nextTier": "Gold",
  "pointsToNextTier": 18,
  "breakdown": [
    {
      "kind": "VULNERABILITY_NON_COMPLIANCE",
      "description": "Non-compliant: CVE-2024-1234 on pkg:maven/org.example/lib@1.0.0 (CRITICAL, 7 days over SLO)",
      "points": 1,
      "vulnerabilityId": "CVE-2024-1234",
      "purl": "pkg:maven/org.example/lib@1.0.0",
      "severity": "CRITICAL",
      "recommendedUpgrade": "1.0.1",
      "sloDuration": "PT72H",
      "daysOverSlo": 7,
      "reason": "Apache deps are critical path"
    },
    {
      "kind": "UPGRADE_NON_COMPLIANCE",
      "description": "Non-compliant: pkg:maven/org.example/lib@1.0.0 (PATCH upgrade to 1.0.1, 10 days over SLO)",
      "points": 1,
      "purl": "pkg:maven/org.example/lib@1.0.0",
      "strategy": "PATCH",
      "recommendedUpgrade": "1.0.1",
      "sloDuration": "PT2160H",
      "daysOverSlo": 10,
      "reason": ""
    }
  ]
}
```