{ "allOf": [ { "$ref": "#/$defs/SocketPURL" }, { "$ref": "#/$defs/SocketArtifactLink" }, { "type": "object", "additionalProperties": false, "properties": { "id": { "$ref": "#/$defs/SocketId" }, "author": { "type": "array", "items": { "type": "string", "description": "", "default": "" }, "description": "List of package authors or maintainers" }, "size": { "type": "number", "description": "Total size of the package artifact in bytes", "default": 0 }, "repositoryType": { "type": "string", "description": "Hugging Face model, dataset, or space type", "default": "" }, "alerts": { "type": "array", "items": { "$ref": "#/$defs/SocketAlert" }, "description": "" }, "score": { "$ref": "#/$defs/SocketScore" }, "patch": { "$ref": "#/$defs/SocketArtifactPatch" }, "inputPurl": { "type": "string", "description": "Original unmodified PURL input string before normalization", "default": "" }, "batchIndex": { "type": "integer", "description": "Deprecated: Always 0. Previously used for batch ordering but replaced by inputPurl for better tracking.", "default": 0 }, "license": { "type": "string", "description": "", "default": "" }, "licenseDetails": { "$ref": "#/$defs/LicenseDetails" }, "licenseAttrib": { "$ref": "#/$defs/SAttrib1_N" } } } ], "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://raw.githubusercontent.com/api-evangelist/socket-dev/main/json-schema/socket-full-scan-schema.json", "title": "SocketFullScanArtifact", "$defs": { "ClassStackItem": { "type": "object", "additionalProperties": false, "properties": { "purl": { "type": "string", "description": "Package URL (PURL) of the dependency containing this class", "default": "" }, "class": { "type": "string", "description": "Name of the class in the dependency", "default": "" }, "confidence": { "type": "number", "description": "Confidence score from 0.0 to 1.0 indicating how certain the reachability analysis is about this result", "default": 0 } }, "description": "" }, "ReachabilityResultItem": { "type": "object", "additionalProperties": false, "properties": { "type": { "$ref": "#/$defs/ReachabilityType" }, "truncated": { "type": "boolean", "default": false, "description": "Indicates if the reachability analysis was stopped early due to depth or complexity limits" }, "error": { "type": "string", "description": "Error message if reachability analysis failed", "default": "" }, "matches": { "anyOf": [ { "type": "object", "additionalProperties": false, "properties": { "type": { "type": "string", "enum": [ "function-level" ] }, "value": { "type": "array", "items": { "type": "array", "items": { "$ref": "#/$defs/CallStackItem" }, "description": "" }, "description": "" } } }, { "type": "object", "additionalProperties": false, "properties": { "type": { "type": "string", "enum": [ "class-level" ] }, "value": { "type": "array", "items": { "type": "array", "items": { "$ref": "#/$defs/ClassStackItem" }, "description": "" }, "description": "" } } } ] }, "workspacePath": { "type": "string", "description": "Path to the workspace root for multi-workspace projects", "default": "" }, "subprojectPath": { "type": "string", "description": "Path to the subproject within the workspace", "default": "" } }, "required": [ "type" ] }, "SocketIssueSeverity": { "type": "string", "enum": [ "low", "middle", "high", "critical" ], "description": "", "default": "low" }, "CallStackItem": { "type": "object", "additionalProperties": false, "properties": { "purl": { "type": "string", "description": "Package URL (PURL) of the dependency containing this code", "default": "" }, "sourceLocation": { "$ref": "#/$defs/SourceLocation" }, "confidence": { "type": "number", "description": "Confidence score from 0.0 to 1.0 indicating how certain the reachability analysis is about this result", "default": 0 } }, "description": "" }, "SocketArtifactLink": { "type": "object", "additionalProperties": false, "properties": { "direct": { "type": "boolean", "default": false, "description": "Indicates if this is a direct dependency (not transitive)" }, "dev": { "type": "boolean", "default": false, "description": "Indicates if this is a development-only dependency not used in production" }, "dead": { "type": "boolean", "default": false, "description": "Indicates if this package is deprecated, abandoned, or no longer maintained" }, "manifestFiles": { "type": "array", "items": { "$ref": "#/$defs/SocketManifestReference" }, "description": "" }, "topLevelAncestors": { "type": "array", "items": { "$ref": "#/$defs/SocketId" }, "description": "IDs of the root-level packages in the dependency tree that depend on this package" }, "dependencies": { "type": "array", "items": { "$ref": "#/$defs/SocketId" }, "description": "IDs of packages that this package directly depends on" }, "alertPriorities": { "type": "object", "additionalProperties": { "type": "object", "additionalProperties": false, "properties": { "result": { "type": "integer", "description": "Computed priority score for this alert", "default": 0 }, "components": { "type": "object", "additionalProperties": false, "description": "", "properties": { "isFixable": { "type": "object", "additionalProperties": false, "description": "", "properties": { "result": { "type": "number", "description": "Contribution of fixability to the priority score", "default": 0 }, "value": { "type": "boolean", "default": false, "description": "Whether a fix is available for this alert" } }, "required": [ "result", "value" ] }, "isReachable": { "type": "object", "additionalProperties": false, "description": "", "properties": { "result": { "type": "number", "description": "Contribution of reachability to the priority score", "default": 0 }, "value": { "type": "boolean", "default": false, "description": "Whether the vulnerable code is reachable" }, "specificValue": { "type": "string", "description": "Specific reachability type value such as 'unreachable', 'maybe_reachable', or 'reachable'", "default": "" } }, "required": [ "result", "specificValue", "value" ] }, "severity": { "type": "object", "additionalProperties": false, "description": "", "properties": { "result": { "type": "number", "description": "Contribution of severity to the priority score", "default": 0 }, "value": { "type": "integer", "description": "Numeric severity level", "default": 0 } }, "required": [ "result", "value" ] } }, "required": [ "isFixable", "isReachable", "severity" ] }, "formula": { "type": "string", "description": "Formula used to calculate the priority score", "default": "" } }, "required": [ "result" ] }, "properties": {}, "description": "Computed priority scores for each alert type based on severity, reachability, and fixability factors" }, "artifact": { "allOf": [ { "$ref": "#/$defs/SocketPURL" }, { "type": "object", "additionalProperties": false, "properties": { "id": { "$ref": "#/$defs/SocketId" } }, "required": [ "id" ] } ] }, "alertKeysToReachabilityTypes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string", "description": "", "default": "" }, "description": "" }, "properties": {}, "description": "Deprecated: mapping of alert keys to arrays of reachability types found across different manifest files or code locations. This field is derived from alertKeysToReachabilitySummaries for backward compatibility; use that property instead." }, "alertKeysToReachabilitySummaries": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "object", "additionalProperties": false, "description": "", "properties": { "type": { "type": "string", "description": "", "default": "" } }, "required": [ "type" ] }, "description": "" }, "properties": {}, "description": "Mapping of alert keys to arrays of reachability summaries. Each summary contains a reachability type indicating the result of reachability analysis for the corresponding vulnerability alert." } }, "description": "" }, "ReachabilityResult": { "type": "object", "additionalProperties": false, "description": "", "properties": { "type": { "type": "string", "enum": [ "precomputed", "full-scan" ], "description": "Type of reachability analysis performed", "default": "precomputed" }, "results": { "type": "array", "items": { "$ref": "#/$defs/ReachabilityResultItem" }, "description": "Reachability analysis results for each vulnerability" } }, "required": [ "results", "type" ] }, "SocketPatch": { "type": "object", "additionalProperties": false, "properties": { "uuid": { "type": "string", "description": "Unique identifier for this patch", "default": "" }, "tier": { "type": "string", "enum": [ "free", "paid" ], "description": "Access tier required for this patch (free or paid)", "default": "free" }, "deprecated": { "type": "boolean", "default": false, "description": "Indicates if this patch is deprecated and should not be used" } }, "required": [ "tier", "uuid" ] }, "SocketArtifactPatch": { "type": "object", "additionalProperties": false, "properties": { "appliedPatch": { "$ref": "#/$defs/SocketPatch" }, "availablePatches": { "type": "array", "items": { "$ref": "#/$defs/SocketPatch" }, "description": "List of available patches that can be applied to fix vulnerabilities" } }, "description": "" }, "SocketPURL_Type": { "type": "string", "enum": [ "alpm", "apk", "bitbucket", "cocoapods", "cargo", "chrome", "clawhub", "composer", "conan", "conda", "cran", "deb", "docker", "gem", "generic", "github", "golang", "hackage", "hex", "huggingface", "maven", "mlflow", "npm", "nuget", "qpkg", "oci", "pub", "pypi", "rpm", "socket", "swid", "swift", "vscode", "unknown" ], "description": "Package ecosystem type identifier based on the PURL specification", "default": "unknown" }, "SocketId": { "type": "string", "description": "", "default": "" }, "SocketAlert": { "type": "object", "additionalProperties": false, "properties": { "key": { "type": "string", "description": "Unique identifier for this alert instance, used for deduplication and tracking across scans", "default": "" }, "type": { "type": "string", "description": "Alert type identifier referencing the alert type definition", "default": "" }, "severity": { "$ref": "#/$defs/SocketIssueSeverity" }, "category": { "$ref": "#/$defs/SocketCategory" }, "file": { "type": "string", "description": "File path where this alert was detected", "default": "" }, "start": { "type": "integer", "description": "Starting position of the alert in the file", "default": 0 }, "end": { "type": "integer", "description": "Ending position of the alert in the file", "default": 0 }, "props": { "type": "object", "description": "Additional alert-specific properties and metadata that vary by alert type", "default": null }, "action": { "type": "string", "description": "Action to take for this alert (e.g., error, warn, ignore)", "default": "" }, "actionSource": { "type": "object", "additionalProperties": false, "description": "", "properties": { "type": { "type": "string", "description": "Type of action source (e.g., policy, override)", "default": "" }, "candidates": { "type": "array", "items": { "type": "object", "additionalProperties": false, "description": "", "properties": { "type": { "type": "string", "description": "Type of action candidate", "default": "" }, "action": { "type": "string", "description": "Proposed action for this candidate", "default": "" }, "actionPolicyIndex": { "type": "integer", "description": "Index of the policy rule for this candidate", "default": 0 }, "repoLabelId": { "type": "string", "description": "Repository label ID associated with this candidate", "default": "" } }, "required": [ "action", "actionPolicyIndex", "repoLabelId", "type" ] }, "description": "" } }, "required": [ "candidates", "type" ] }, "actionPolicyIndex": { "type": "integer", "description": "Index of the policy rule that triggered this action, for traceability to security policies", "default": 0 }, "fix": { "type": "object", "additionalProperties": false, "properties": { "type": { "type": "string", "description": "Type of fix available (e.g., upgrade, remove, cve)", "default": "" }, "description": { "type": "string", "description": "Human-readable description of how to fix this issue", "default": "" }, "patch": { "type": "array", "items": { "type": "object", "additionalProperties": false, "properties": { "uuid": { "type": "string", "description": "Unique identifier for this patch", "default": "" }, "tier": { "type": "string", "enum": [ "free", "paid" ], "description": "Access tier required for this patch (free or paid)", "default": "free" }, "deprecated": { "type": "boolean", "default": false, "description": "Indicates if this patch is deprecated and should not be used" } }, "required": [ "tier", "uuid" ] }, "description": "Patches available to fix this specific alert" } }, "required": [ "description", "type" ] }, "patch": { "$ref": "#/$defs/SocketPatch" }, "reachability": { "type": "object", "additionalProperties": false, "properties": { "head": { "$ref": "#/$defs/ReachabilityResult" }, "base": { "$ref": "#/$defs/ReachabilityResult" } }, "description": "" }, "subType": { "type": "string", "description": "Generic alert sub-type", "default": "" } }, "required": [ "key", "type" ] }, "ReachabilityType": { "type": "string", "enum": [ "missing_support", "undeterminable_reachability", "pending", "unreachable", "unknown", "direct_dependency", "error", "maybe_reachable", "reachable" ], "description": "Status of reachability analysis for vulnerable code paths", "default": "unknown" }, "SocketScore": { "type": "object", "additionalProperties": false, "description": "", "properties": { "license": { "type": "number", "description": "Score from 0.0 to 1.0 evaluating license permissiveness and compatibility", "default": 0 }, "maintenance": { "type": "number", "description": "Score from 0.0 to 1.0 evaluating project maintenance health and activity", "default": 0 }, "overall": { "type": "number", "description": "Combined score from 0.0 to 1.0 representing overall package health and safety", "default": 0 }, "quality": { "type": "number", "description": "Score from 0.0 to 1.0 evaluating code quality, testing, and documentation", "default": 0 }, "supplyChain": { "type": "number", "description": "Score from 0.0 to 1.0 evaluating supply chain security and provenance", "default": 0 }, "vulnerability": { "type": "number", "description": "Score from 0.0 to 1.0 based on known vulnerabilities and their severity", "default": 0 } }, "required": [ "license", "maintenance", "overall", "quality", "supplyChain", "vulnerability" ] }, "SocketManifestReference": { "type": "object", "additionalProperties": false, "properties": { "file": { "type": "string", "description": "Path to the manifest file (e.g., package.json, pom.xml)", "default": "" }, "start": { "type": "integer", "description": "Starting line or position in the manifest file", "default": 0 }, "end": { "type": "integer", "description": "Ending line or position in the manifest file", "default": 0 } }, "required": [ "file" ] }, "SAttrib1_N": { "type": "array", "items": { "type": "object", "additionalProperties": false, "description": "", "properties": { "attribText": { "type": "string", "description": "Full text of the license attribution or copyright notice found in the package", "default": "" }, "attribData": { "type": "array", "items": { "type": "object", "additionalProperties": false, "description": "", "properties": { "purl": { "type": "string", "description": "Package URL this attribution applies to", "default": "" }, "foundInFilepath": { "type": "string", "description": "File path where this attribution was found", "default": "" }, "spdxExpr": { "type": "string", "description": "SPDX license expression parsed from the attribution text", "default": "" }, "foundAuthors": { "type": "array", "items": { "type": "string", "description": "", "default": "" }, "description": "Authors mentioned in this attribution" } }, "required": [ "foundAuthors", "foundInFilepath", "purl", "spdxExpr" ] }, "description": "" } }, "required": [ "attribData", "attribText" ] }, "description": "" }, "SocketCategory": { "type": "string", "enum": [ "supplyChainRisk", "quality", "maintenance", "vulnerability", "license", "other" ], "description": "", "default": "other" }, "SocketPURL": { "type": "object", "additionalProperties": false, "properties": { "type": { "$ref": "#/$defs/SocketPURL_Type" }, "namespace": { "type": "string", "description": "Package namespace or scope, such as npm organizations (@angular), Maven groupIds, or Docker image owners", "default": "" }, "name": { "type": "string", "description": "Package name within its ecosystem", "default": "" }, "version": { "type": "string", "description": "Package version string", "default": "" }, "subpath": { "type": "string", "description": "Path within the package to a specific file or directory, used to reference nested components", "default": "" }, "release": { "type": "string", "description": "Package-specific release identifier, such as PyPI's artifact ID or the specific build/release version", "default": "" } }, "required": [ "type" ] }, "LicenseDetails": { "type": "array", "items": { "type": "object", "additionalProperties": false, "description": "", "properties": { "spdxDisj": { "type": "string", "description": "SPDX license expression in disjunctive normal form (e.g., '(MIT OR Apache-2.0)')", "default": "" }, "authors": { "type": "array", "items": { "type": "string", "description": "", "default": "" }, "description": "List of authors found in the license text" }, "errorData": { "type": "string", "description": "Error details if license parsing failed", "default": "" }, "provenance": { "type": "string", "description": "Source where this license information was detected (e.g., 'package.json', 'LICENSE file', 'README')", "default": "" }, "filepath": { "type": "string", "description": "Path to the file containing this license information", "default": "" }, "match_strength": { "type": "number", "description": "Confidence score from 0.0 to 1.0 indicating how well the detected license matches the source text", "default": 0 } }, "required": [ "authors", "errorData", "filepath", "match_strength", "provenance", "spdxDisj" ] }, "description": "" }, "SourceLocation": { "type": "object", "additionalProperties": false, "description": "", "properties": { "start": { "type": "object", "additionalProperties": false, "description": "", "properties": { "line": { "type": "integer", "description": "Line number in the source file", "default": 0 }, "column": { "type": "integer", "description": "Column number in the source file", "default": 0 }, "byteOffset": { "type": "integer", "description": "Absolute byte position from the beginning of the file, used for precise location tracking", "default": 0 } }, "required": [ "byteOffset", "column", "line" ] }, "end": { "type": "object", "additionalProperties": false, "properties": { "line": { "type": "integer", "description": "Line number in the source file", "default": 0 }, "column": { "type": "integer", "description": "Column number in the source file", "default": 0 }, "byteOffset": { "type": "integer", "description": "Absolute byte position from the beginning of the file, used for precise location tracking", "default": 0 } }, "description": "" }, "filename": { "type": "string", "description": "Path to the source file", "default": "" }, "fileHash": { "type": "string", "description": "Hash of the source file for integrity verification", "default": "" } }, "required": [ "end", "fileHash", "filename", "start" ] } } }