Skip to content

Data Model

All types are defined in core/src/languages/language_plugin.rs and serialised as JSON by serde_json. The FFI layer returns JSON strings; the CLI prints them to stdout; the GUI decodes them into Swift model types.


classDiagram
class ScanEnvelope {
+u64 scanned_at
+HashMap results
+Option~PolicyReport~ policy_report
}
class PolicyReport {
+bool pass
+Vec~PolicyViolation~ violations
}
class PolicyViolation {
+String project
+String dependency
+String rule
+String value
}
class PackageMetadata {
+String project_name
+String path
+Option~String~ package_manager
+Option~Vec~RegistryConfig~~ registries
+Vec~Dependency~ dependencies
}
class Dependency {
+String name
+String version
+String local_path
+String included_by
+Option~HashMap~ hashes
+Option~Vec~String~~ licenses
+Option~String~ purl
+Option~String~ source_url
+Option~String~ repository
+Option~Vec~Vulnerability~~ vulnerabilities
}
class RegistryConfig {
+String url
+String level
+String config_file
+bool valid
+Option~String~ username
+Option~String~ password_hash
}
class Vulnerability {
+String id
+String severity
+String summary
+Option~String~ fixed_version
+String reference_url
}
ScanEnvelope "1" --> "0..1" PolicyReport : policy_report
PolicyReport "1" --> "*" PolicyViolation : violations
ScanEnvelope "1" --> "*" PackageMetadata : results
PackageMetadata "1" --> "*" Dependency : dependencies
PackageMetadata "1" --> "*" RegistryConfig : registries
Dependency "1" --> "*" Vulnerability : vulnerabilities

Top-level wrapper returned by every scan. Carries a timestamp so consumers always know how stale the data is.

FieldTypeDescription
scanned_atu64Unix timestamp (seconds) when the scan completed
resultsobjectMap of project_name -> PackageMetadata
policy_reportPolicyReportPolicy evaluation result (omitted from JSON when no policy is configured)

Result of evaluating policy rules against scan results. Only present when a policy block exists in config or an admin policy file is deployed.

FieldTypeDescription
passbooltrue if all rules passed, false if any violation exists
violationsPolicyViolation[]List of individual violations (empty when pass is true)
FieldTypeDescription
projectstringProject name containing the offending dependency
dependencystringDependency name
rulestringHuman-readable rule that was violated (e.g. "license not in allowed_licenses")
valuestringThe violating value (e.g. the license string, registry URL, or severity)

One record per discovered project.

FieldTypeNullableDescription
project_namestringNoHuman-readable project name
pathstringNoAbsolute filesystem path to the project root
package_managerstringYesDetected package manager, e.g. "npm", "yarn", "nuget", "composer"
project_licensestringYesSPDX license identifier for the project itself
registriesRegistryConfig[]YesResolved registry entries (null if none detected)
dependenciesDependency[]NoAll dependencies, direct and transitive

One record per package, direct or transitive.

FieldTypeNullableDescription
namestringNoPackage name as it appears in the registry
versionstringNoExact installed version string
local_pathstringNoAbsolute path to the installed package on disk
included_bystringNo"direct" for direct dependencies; parent package name for transitive deps
hashesobjectYesKey -> hash string map
licensesstring[]YesSPDX licence identifiers
purlstringYesPackage URL
source_urlstringYesRegistry download or package page URL
repositorystringYesVCS URL (GitHub, GitLab, etc.)
vulnerabilitiesVulnerability[]Yesnull = not queried; [] = clean; [...] = active CVEs

A resolved registry or package feed entry.

FieldTypeNullableDescription
urlstringNoRegistry base URL
levelstringNo"global" or "project"
config_filestringNoAbsolute path to the config file
validboolNoWhether the registry URL passes policy
usernamestringYesUsername for authenticated feeds
password_hashstringYesArgon2id hash of the credential

A single CVE or GHSA record associated with a dependency.

FieldTypeNullableDescription
idstringNoIdentifier, e.g. "CVE-2024-1234" or "GHSA-xxxx-xxxx-xxxx"
severitystringNo"CRITICAL" / "HIGH" / "MEDIUM" / "LOW" / "UNKNOWN"
summarystringNoShort description from OSV
fixed_versionstringYesSmallest fix version strictly greater than installed; null if no fix exists
reference_urlstringNoCanonical link (OSV page or NVD)

Preview of what a fix operation would do.

FieldTypeDescription
dependencystringDependency being fixed
current_versionstringCurrently installed version
target_versionstringVersion the fix would upgrade to
binarystringPackage manager binary
commandstringHuman-readable command
is_major_bumpboolWhether the target version is a semver major bump
fixesFixableVuln[]Vulnerabilities that will be resolved
risk_scoreUpgradeRiskScoreRisk assessment for this upgrade

Deterministic risk assessment for a single dependency upgrade (0-100).

FactorPointsWhen
bump_type5 / 15 / 40Patch / minor / major version bump
version_distance0-20Number of minor versions skipped
dependency_scope5 / 15Transitive / direct dependency
multi_major_jump10Jumping 2+ major versions
pre_release_target10Target is alpha/beta/rc/dev/preview/canary

{
"scanned_at": 1711027200,
"results": {
"my-app": {
"project_name": "my-app",
"path": "/Users/dev/my-app",
"package_manager": "npm",
"registries": [
{
"url": "https://registry.npmjs.org/",
"level": "global",
"config_file": "/Users/dev/.npmrc",
"valid": true,
"username": null,
"password_hash": null
}
],
"dependencies": [
{
"name": "lodash",
"version": "4.17.20",
"local_path": "/Users/dev/my-app/node_modules/lodash",
"included_by": "direct",
"hashes": {
"integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA=="
},
"licenses": ["MIT"],
"purl": "pkg:npm/lodash@4.17.20",
"source_url": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz",
"repository": "https://github.com/lodash/lodash",
"vulnerabilities": [
{
"id": "CVE-2021-23337",
"severity": "HIGH",
"summary": "Command injection via template in lodash",
"fixed_version": "4.17.21",
"reference_url": "https://osv.dev/vulnerability/CVE-2021-23337"
}
]
}
]
}
}
}