stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/unchecked/policy/unknowns-ranking-algorithm.md Normal file
View File

@@ -0,0 +1,45 @@
# Unknowns Ranking Algorithm (HOT/WARM/COLD bands)
## Module
Policy
## Status
IMPLEMENTED
## Description
Unknown ranker with weighted scoring (popularity, exploit potential, uncertainty density, centrality, staleness), HOT/WARM/COLD band assignment, and BlastRadius model. Database migration for blast radius/containment exists.
## Implementation Details
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` (sealed class)
- Two-factor scoring: Score = (Uncertainty * 50) + (ExploitPressure * 50)
- **Uncertainty factors** (sum capped at 1.0):
- Missing VEX: +0.40
- Missing reachability: +0.30
- Conflicting signals: +0.20
- Stale evidence: +0.10
- **Exploit pressure factors** (sum capped at 1.0):
- KEV flagged: +0.50
- EPSS >= 0.90: +0.30
- EPSS >= 0.50: +0.15
- CVSS >= 9.0: +0.05
- **Containment reduction** (capped at 40%):
- Isolated: 15%, NotNetFacing: 5%, NonRoot: 5%, Seccomp: 10%, FsRO: 10%, NetworkIsolated: 5%
- **Time decay**: 7d=100%, 30d=90%, 90d=75%, 180d=60%, 365d=40%, >365d=20%
- **Band assignment**: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
- **Reason codes**: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown
- **BlastRadius model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs`
- Dependents (int), NetFacing (bool), Privilege (string?)
- **UnknownRankerOptions**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRankerOptions.cs` -- configurable weights and thresholds
- **UnknownRankInput**: includes EpssScore, CvssScore, IsKev, ContainmentSignals, LastEvaluatedAt, ReasonCodes
## E2E Test Plan
- [ ] Rank unknown with missing VEX + KEV flagged; verify score = (0.40*50) + (0.50*50) = 45; band=Warm
- [ ] Rank unknown with missing VEX + missing reachability + KEV + EPSS=0.95; verify score = (0.70*50) + (0.80*50) = 75; band=Hot
- [ ] Rank unknown with no uncertainty + no exploit pressure; verify score=0; band=Negligible
- [ ] Rank unknown with Isolated containment; verify 15% reduction from raw score
- [ ] Rank unknown with all containment signals; verify exactly 40% reduction (cap)
- [ ] Rank unknown last evaluated 90 days ago; verify decay factor=0.75 applied
- [ ] Rank unknown last evaluated 365 days ago; verify decay factor=0.40 applied
- [ ] Verify band assignment: score 80 -> Hot, score 55 -> Warm, score 30 -> Cold, score 10 -> Negligible
- [ ] Verify reason codes: unknown with VexConflict produces reason=VexConflict
- [ ] Verify deterministic ranking: same inputs always produce same score and band