new advisories work and features gaps work

2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
--- a/docs/api/findings-scoring.md
+++ b/docs/api/findings-scoring.md
@@ -280,6 +280,98 @@ X-Stella-Tenant: acme-corp
 }
 ```

+### Attested-Reduction Scoring Profile
+
+> Sprint: SPRINT_20260112_004_LB_attested_reduction_scoring
+
+When enabled, the attested-reduction profile applies precedence-based scoring using cryptographically anchored evidence:
+
+**Formula:** `score = clamp(base_epss * (1 + R + T) - P, 0, 1)`
+
+Where:
+- `base_epss` - EPSS score (exploit likelihood)
+- `R` - Reachability bonus (applied when anchored not-reachable evidence exists)
+- `T` - Telemetry bonus (applied when anchored no-observation evidence exists)
+- `P` - Patch proof reduction (applied when anchored backport/fix evidence exists)
+
+**Short-Circuit Rules:**
+1. **Anchored VEX not_affected/fixed** → Score = 0 (immediate watchlist)
+2. **Anchored VEX affected + runtime confirmed** → Hard fail (Score = 100, ActNow bucket)
+
+**Configuration in Policy:**
+```json
+{
+  "version": "ews.v1.3",
+  "weights": { ... },
+  "guardrails": { ... },
+  "buckets": { ... },
+  "attestedReduction": {
+    "enabled": true,
+    "precedenceList": [
+      "vex.not_affected",
+      "vex.fixed",
+      "backport.signed_proof",
+      "backport.vendor_vex",
+      "reachability.not_reachable",
+      "runtime.not_observed"
+    ],
+    "reachabilityBonus": 0.3,
+    "telemetryBonus": 0.2,
+    "patchProofReduction": 0.5,
+    "clampMin": 0.0,
+    "clampMax": 1.0,
+    "hardFailOnAffectedWithRuntime": true,
+    "hardFailScore": 1.0,
+    "skipEpssWhenAnchored": true,
+    "requiredVerificationStatus": "Verified"
+  }
+}
+```
+
+**Anchor Metadata:**
+
+Evidence inputs can include anchor metadata for cryptographic attestation:
+
+```json
+{
+  "findingId": "CVE-2024-1234@pkg:test/lib@1.0.0",
+  "xpl": 0.5,
+  "vexStatus": "not_affected",
+  "vexAnchor": {
+    "isAnchored": true,
+    "dsseEnvelopeDigest": "sha256:abc123...",
+    "predicateType": "https://stellaops.io/attestation/vex-override/v1",
+    "rekorLogIndex": 12345678,
+    "rekorEntryId": "24296fb24b8ad77a...",
+    "verificationStatus": "Verified",
+    "attestationTimestamp": "2026-01-14T10:30:00Z"
+  },
+  "backportDetails": {
+    "evidenceTier": "SignedProof",
+    "status": "Fixed",
+    "confidence": 0.95,
+    "anchor": {
+      "isAnchored": true,
+      "dsseEnvelopeDigest": "sha256:def456...",
+      "predicateType": "https://stellaops.io/attestation/backport/v1",
+      "verificationStatus": "Verified"
+    }
+  }
+}
+```
+
+**Response Flags (when attested-reduction is active):**
+
+| Flag | Description |
+|------|-------------|
+| `attested-reduction` | Attested-reduction scoring path was used |
+| `anchored-vex` | Anchored VEX evidence triggered precedence |
+| `anchored-backport` | Anchored backport evidence applied reduction |
+| `anchored-reachability` | Anchored reachability evidence applied bonus |
+| `anchored-runtime` | Anchored runtime evidence affected score |
+| `hard-fail` | Hard-fail triggered (affected + runtime confirmed) |
+| `epss-reduced` | EPSS influence reduced due to anchored evidence |
+
 ## Webhooks

 ### Register Webhook