score method

RiskScore score({ required DependencyProfile dependency, required ProjectManifest project, required DepSherpaConfig config, })

Scores dependency in the context of project and config.

Implementation

RiskScore score({
  required DependencyProfile dependency,
  required ProjectManifest project,
  required DepSherpaConfig config,
}) {
  final RiskSignals signals = _signals(dependency, config.parameters);
  final RiskComponents components = _components(signals, config.parameters);
  final RiskWeights baseWeights = config.riskWeights.normalized();
  final double trustFactor = _trustFactor(
    dependency: dependency,
    project: project,
    config: config,
  );
  final RiskWeights adjustedWeights = _adjustedWeights(
    baseWeights,
    config.attenuation,
    trustFactor,
  );
  final double baseScore = 100 * _weighted(baseWeights, components);
  final double finalScore = 100 * _weighted(adjustedWeights, components);
  final List<String> hardRiskTriggers = _hardTriggers(
    dependency,
    signals,
    project.environmentSdk,
    config.thresholds,
  );
  bool sherpaPolicyApplied = false;
  RiskClassification classification =
      _classification(finalScore, config.thresholds);
  if (trustFactor == 1 &&
      hardRiskTriggers.isEmpty &&
      (classification == RiskClassification.high ||
          classification == RiskClassification.critical)) {
    classification = RiskClassification.moderate;
    sherpaPolicyApplied = true;
  }

  return RiskScore(
    signals: signals,
    components: components,
    baseWeights: baseWeights,
    adjustedWeights: adjustedWeights,
    baseScore: baseScore,
    finalScore: finalScore,
    classification: classification,
    trustFactor: trustFactor,
    sherpaPolicyApplied: sherpaPolicyApplied,
    hardRiskTriggers: hardRiskTriggers,
  );
}