Compliance Scoring Algorithm
The Deptic Compliance Score is a unified metric (0–100) that indicates how well your software supply chain documentation adheres to federal and enterprise mandates.
Algorithm breakdown:
| Category | Max Points | Evaluation Criteria |
|---|---|---|
| NTIA Base Elements | 70 pts | 10 points for each of the 7 minimum elements required by EO14028. Partial points awarded proportionally for incomplete metadata (e.g., missing supplier names). |
| Transitive Depth | 15 pts | Full points if transitive dependencies are fully resolved. 0 points if only direct dependencies are listed. |
| Vulnerability Status | 15 pts | 15 pts for 0 Critical/High CVEs. -5 pts for every High CVE. -15 pts if any Critical CVE exists. |
Calculation example:
json
{
"project": "my-backend-api",
"scoring": {
"ntia_elements_score": 62, // Lost 8 points due to 80% supplier name coverage
"transitive_depth": 15, // Full resolution achieved
"vulnerabilities": 10 // 1 High CVE (-5 pts)
},
"final_score": 87,
"status": "PARTIALLY COMPLIANT"
}Improving your score:
- Fix high severity CVEs: Use the "Fix All with PR" feature to bump vulnerable packages to safe versions.
- Use supported package managers: Ensure you are not relying on
git+URL dependencies, which cannot be reliably fingerprinted for SBOM generation.