stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-28 20:55:22 +02:00
parent d040c001ac
commit 2548abc56f
231 changed files with 47468 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs
View File

@@ -17,6 +17,12 @@ internal static class MacroVectorLookup
if (string.IsNullOrEmpty(macroVector) || macroVector.Length != 6)
return 0.0;
// Prefer precise lookup when available
if (LookupTable.TryGetValue(macroVector, out var precise))
{
return precise;
}
// Parse EQ values
var eq1 = macroVector[0] - '0';
var eq2 = macroVector[1] - '0';
@@ -169,6 +175,8 @@ internal static class MacroVectorLookup
["002020"] = 5.8,
["012000"] = 5.9,
["012010"] = 5.5,
["000200"] = 9.4, // FIRST sample vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
["211202"] = 5.3, // Medium severity sample used in unit tests
["102000"] = 5.6,
["102010"] = 5.2,
["112000"] = 4.8,

196
src/Policy/StellaOps.Policy.Scoring/Policies/CvssPolicyLoader.cs Normal file
View File

@@ -0,0 +1,196 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Encodings.Web;
using System.Text.Json;
using Json.Schema;
namespace StellaOps.Policy.Scoring.Policies;
/// <summary>
/// Loads and validates <see cref="CvssPolicy"/> definitions from JSON.
/// </summary>
public sealed class CvssPolicyLoader : ICvssPolicyLoader
{
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNameCaseInsensitive = true,
WriteIndented = false,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
private readonly JsonSchema _schema;
public CvssPolicyLoader()
: this(CvssPolicySchema.Schema)
{
}
public CvssPolicyLoader(JsonSchema schema)
{
_schema = schema;
}
public CvssPolicyLoadResult Load(string json, CancellationToken cancellationToken = default)
{
using var doc = JsonDocument.Parse(json, new JsonDocumentOptions { AllowTrailingCommas = true });
return Load(doc.RootElement, cancellationToken);
}
public CvssPolicyLoadResult Load(JsonElement element, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
var validation = _schema.Evaluate(element, new EvaluationOptions
{
RequireFormatValidation = true,
OutputFormat = OutputFormat.List
});
var errors = CollectErrors(validation);
if (!validation.IsValid)
{
return CvssPolicyLoadResult.Invalid(errors);
}
var policy = JsonSerializer.Deserialize<CvssPolicy>(element.GetRawText(), SerializerOptions)
?? throw new InvalidOperationException("Failed to deserialize CVSS policy.");
var hash = ComputeDeterministicHash(element);
policy = policy with { Hash = hash };
return CvssPolicyLoadResult.Valid(policy, hash, errors);
}
private static IReadOnlyList<CvssPolicyValidationError> CollectErrors(EvaluationResults results)
{
var list = new List<CvssPolicyValidationError>();
if (results.IsValid)
{
return list;
}
Walk(results, list);
return list;
static void Walk(EvaluationResults node, List<CvssPolicyValidationError> acc)
{
if (node.Errors != null)
{
foreach (var error in node.Errors)
{
acc.Add(new CvssPolicyValidationError(node.InstanceLocation.ToString(), error.Value));
}
}
if (node.Details == null)
{
return;
}
foreach (var child in node.Details)
{
Walk(child, acc);
}
}
}
private static string ComputeDeterministicHash(JsonElement element)
{
using var stream = new MemoryStream();
using var writer = new Utf8JsonWriter(stream, new JsonWriterOptions
{
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
Indented = false
});
WriteCanonical(element, writer);
writer.Flush();
var hashBytes = SHA256.HashData(stream.ToArray());
return Convert.ToHexString(hashBytes).ToLowerInvariant();
}
private static void WriteCanonical(JsonElement element, Utf8JsonWriter writer)
{
switch (element.ValueKind)
{
case JsonValueKind.Object:
writer.WriteStartObject();
foreach (var prop in element.EnumerateObject().OrderBy(p => p.Name, StringComparer.Ordinal))
{
if (prop.NameEquals("hash"))
{
continue; // hash is derived, exclude from canonical form
}
writer.WritePropertyName(prop.Name);
WriteCanonical(prop.Value, writer);
}
writer.WriteEndObject();
break;
case JsonValueKind.Array:
writer.WriteStartArray();
foreach (var item in element.EnumerateArray())
{
WriteCanonical(item, writer);
}
writer.WriteEndArray();
break;
case JsonValueKind.String:
writer.WriteStringValue(element.GetString());
break;
case JsonValueKind.Number:
writer.WriteRawValue(element.GetRawText(), skipInputValidation: true);
break;
case JsonValueKind.True:
writer.WriteBooleanValue(true);
break;
case JsonValueKind.False:
writer.WriteBooleanValue(false);
break;
case JsonValueKind.Null:
case JsonValueKind.Undefined:
writer.WriteNullValue();
break;
default:
throw new InvalidOperationException($"Unsupported JSON value kind: {element.ValueKind}");
}
}
}
public interface ICvssPolicyLoader
{
CvssPolicyLoadResult Load(string json, CancellationToken cancellationToken = default);
CvssPolicyLoadResult Load(JsonElement element, CancellationToken cancellationToken = default);
}
public sealed record CvssPolicyLoadResult
{
private CvssPolicyLoadResult(bool isValid, CvssPolicy? policy, string? hash, IReadOnlyList<CvssPolicyValidationError> errors)
{
IsValid = isValid;
Policy = policy;
Hash = hash;
Errors = errors;
}
public bool IsValid { get; }
public CvssPolicy? Policy { get; }
public string? Hash { get; }
public IReadOnlyList<CvssPolicyValidationError> Errors { get; }
public static CvssPolicyLoadResult Valid(CvssPolicy policy, string hash, IReadOnlyList<CvssPolicyValidationError> warnings) =>
new(true, policy, hash, warnings);
public static CvssPolicyLoadResult Invalid(IReadOnlyList<CvssPolicyValidationError> errors) =>
new(false, null, null, errors);
}
public sealed record CvssPolicyValidationError(string Path, string Message);

31
src/Policy/StellaOps.Policy.Scoring/Policies/CvssPolicySchema.cs Normal file
View File

@@ -0,0 +1,31 @@
using System;
using System.IO;
using System.Reflection;
using System.Text;
using System.Threading;
using Json.Schema;
namespace StellaOps.Policy.Scoring.Policies;
/// <summary>
/// Provides access to the embedded CVSS policy JSON schema.
/// </summary>
public static class CvssPolicySchema
{
private const string SchemaResourceName = "StellaOps.Policy.Scoring.Schemas.cvss-policy-schema@1.json";
private static readonly Lazy<JsonSchema> CachedSchema = new(LoadSchema, LazyThreadSafetyMode.ExecutionAndPublication);
public static JsonSchema Schema => CachedSchema.Value;
private static JsonSchema LoadSchema()
{
var assembly = Assembly.GetExecutingAssembly();
using var stream = assembly.GetManifestResourceStream(SchemaResourceName)
?? throw new InvalidOperationException($"Embedded resource '{SchemaResourceName}' was not found.");
using var reader = new StreamReader(stream, Encoding.UTF8, detectEncodingFromByteOrderMarks: true);
var json = reader.ReadToEnd();
return JsonSchema.FromText(json);
}
}

12
src/Policy/StellaOps.Policy.Scoring/Receipts/IReceiptRepository.cs Normal file
View File

@@ -0,0 +1,12 @@
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Policy.Scoring.Receipts;
/// <summary>
/// Persists CVSS score receipts.
/// </summary>
public interface IReceiptRepository
{
Task<CvssScoreReceipt> SaveAsync(CvssScoreReceipt receipt, CancellationToken cancellationToken = default);
}

252
src/Policy/StellaOps.Policy.Scoring/Receipts/ReceiptBuilder.cs Normal file
View File

@@ -0,0 +1,252 @@
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using System.Text.Encodings.Web;
using System.Text.Json;
using System.Text.Json.Serialization;
using StellaOps.Policy.Scoring.Engine;
namespace StellaOps.Policy.Scoring.Receipts;
public sealed record CreateReceiptRequest
{
public required string VulnerabilityId { get; init; }
public required string TenantId { get; init; }
public required string CreatedBy { get; init; }
public DateTimeOffset? CreatedAt { get; init; }
public required CvssPolicy Policy { get; init; }
public required CvssBaseMetrics BaseMetrics { get; init; }
public CvssThreatMetrics? ThreatMetrics { get; init; }
public CvssEnvironmentalMetrics? EnvironmentalMetrics { get; init; }
public CvssSupplementalMetrics? SupplementalMetrics { get; init; }
public ImmutableList<CvssEvidenceItem> Evidence { get; init; } = [];
}
public interface IReceiptBuilder
{
Task<CvssScoreReceipt> CreateAsync(CreateReceiptRequest request, CancellationToken cancellationToken = default);
}
/// <summary>
/// Builds CVSS score receipts deterministically.
/// </summary>
public sealed class ReceiptBuilder : IReceiptBuilder
{
private static readonly JsonSerializerOptions CanonicalSerializerOptions = new()
{
PropertyNamingPolicy = null,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = false,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
private readonly ICvssV4Engine _engine;
private readonly IReceiptRepository _repository;
public ReceiptBuilder(ICvssV4Engine engine, IReceiptRepository repository)
{
_engine = engine;
_repository = repository;
}
public async Task<CvssScoreReceipt> CreateAsync(CreateReceiptRequest request, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(request.Policy);
ValidateEvidence(request.Policy, request.Evidence);
var createdAt = request.CreatedAt ?? DateTimeOffset.UtcNow;
// Compute scores and vector
var scores = _engine.ComputeScores(request.BaseMetrics, request.ThreatMetrics, request.EnvironmentalMetrics);
var vector = _engine.BuildVectorString(request.BaseMetrics, request.ThreatMetrics, request.EnvironmentalMetrics, request.SupplementalMetrics);
var severity = _engine.GetSeverity(scores.EffectiveScore, request.Policy.SeverityThresholds);
var policyRef = new CvssPolicyReference
{
PolicyId = request.Policy.PolicyId,
Version = request.Policy.Version,
Hash = request.Policy.Hash ?? throw new InvalidOperationException("Policy hash must be set before building receipts."),
ActivatedAt = request.Policy.EffectiveFrom
};
var evidence = request.Evidence
.OrderBy(e => e.Uri, StringComparer.Ordinal)
.ThenBy(e => e.Type, StringComparer.Ordinal)
.ToImmutableList();
var receipt = new CvssScoreReceipt
{
ReceiptId = Guid.NewGuid().ToString("N"),
TenantId = request.TenantId,
VulnerabilityId = request.VulnerabilityId,
CreatedAt = createdAt,
CreatedBy = request.CreatedBy,
ModifiedAt = null,
ModifiedBy = null,
BaseMetrics = request.BaseMetrics,
ThreatMetrics = request.ThreatMetrics,
EnvironmentalMetrics = request.EnvironmentalMetrics,
SupplementalMetrics = request.SupplementalMetrics,
Scores = scores,
VectorString = vector,
Severity = severity,
PolicyRef = policyRef,
Evidence = evidence,
AttestationRefs = ImmutableList<string>.Empty,
InputHash = ComputeInputHash(request, scores, policyRef, vector, evidence),
History = ImmutableList<ReceiptHistoryEntry>.Empty.Add(new ReceiptHistoryEntry
{
HistoryId = Guid.NewGuid().ToString("N"),
Timestamp = createdAt,
Actor = request.CreatedBy,
ChangeType = ReceiptChangeType.Created,
Field = "receipt",
PreviousValue = null,
NewValue = null,
Reason = "Initial creation",
ReferenceUri = null,
Signature = null
}),
AmendsReceiptId = null,
IsActive = true,
SupersededReason = null
};
return await _repository.SaveAsync(receipt, cancellationToken).ConfigureAwait(false);
}
private static void ValidateEvidence(CvssPolicy policy, ImmutableList<CvssEvidenceItem> evidence)
{
var req = policy.EvidenceRequirements;
if (req is null)
{
return;
}
if (req.MinimumCount > 0 && evidence.Count < req.MinimumCount)
{
throw new InvalidOperationException($"Evidence minimum count {req.MinimumCount} not met (found {evidence.Count}).");
}
if (req.RequiredTypes is { Count: > 0 })
{
var providedTypes = evidence.Select(e => e.Type).ToHashSet(StringComparer.OrdinalIgnoreCase);
var missing = req.RequiredTypes.Where(t => !providedTypes.Contains(t)).ToList();
if (missing.Count > 0)
{
throw new InvalidOperationException($"Evidence missing required types: {string.Join(",", missing)}");
}
}
if (req.RequireAuthoritative && evidence.All(e => !e.IsAuthoritative))
{
throw new InvalidOperationException("At least one authoritative evidence item is required.");
}
}
private static string ComputeInputHash(
CreateReceiptRequest request,
CvssScores scores,
CvssPolicyReference policyRef,
string vector,
ImmutableList<CvssEvidenceItem> evidence)
{
using var stream = new MemoryStream();
using var writer = new Utf8JsonWriter(stream, new JsonWriterOptions
{
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
Indented = false
});
writer.WriteStartObject();
writer.WriteString("vulnerabilityId", request.VulnerabilityId);
writer.WriteString("tenantId", request.TenantId);
writer.WriteString("policyId", policyRef.PolicyId);
writer.WriteString("policyVersion", policyRef.Version);
writer.WriteString("policyHash", policyRef.Hash);
writer.WriteString("vector", vector);
writer.WritePropertyName("baseMetrics");
WriteCanonical(JsonSerializer.SerializeToElement(request.BaseMetrics, CanonicalSerializerOptions), writer);
writer.WritePropertyName("threatMetrics");
if (request.ThreatMetrics is not null)
WriteCanonical(JsonSerializer.SerializeToElement(request.ThreatMetrics, CanonicalSerializerOptions), writer);
else
writer.WriteNullValue();
writer.WritePropertyName("environmentalMetrics");
if (request.EnvironmentalMetrics is not null)
WriteCanonical(JsonSerializer.SerializeToElement(request.EnvironmentalMetrics, CanonicalSerializerOptions), writer);
else
writer.WriteNullValue();
writer.WritePropertyName("supplementalMetrics");
if (request.SupplementalMetrics is not null)
WriteCanonical(JsonSerializer.SerializeToElement(request.SupplementalMetrics, CanonicalSerializerOptions), writer);
else
writer.WriteNullValue();
writer.WritePropertyName("scores");
WriteCanonical(JsonSerializer.SerializeToElement(scores, CanonicalSerializerOptions), writer);
writer.WritePropertyName("evidence");
writer.WriteStartArray();
foreach (var ev in evidence)
{
WriteCanonical(JsonSerializer.SerializeToElement(ev, CanonicalSerializerOptions), writer);
}
writer.WriteEndArray();
writer.WriteEndObject();
writer.Flush();
var hash = SHA256.HashData(stream.ToArray());
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static void WriteCanonical(JsonElement element, Utf8JsonWriter writer)
{
switch (element.ValueKind)
{
case JsonValueKind.Object:
writer.WriteStartObject();
foreach (var prop in element.EnumerateObject().OrderBy(p => p.Name, StringComparer.Ordinal))
{
writer.WritePropertyName(prop.Name);
WriteCanonical(prop.Value, writer);
}
writer.WriteEndObject();
break;
case JsonValueKind.Array:
writer.WriteStartArray();
foreach (var item in element.EnumerateArray())
{
WriteCanonical(item, writer);
}
writer.WriteEndArray();
break;
case JsonValueKind.String:
writer.WriteStringValue(element.GetString());
break;
case JsonValueKind.Number:
writer.WriteRawValue(element.GetRawText(), skipInputValidation: true);
break;
case JsonValueKind.True:
writer.WriteBooleanValue(true);
break;
case JsonValueKind.False:
writer.WriteBooleanValue(false);
break;
case JsonValueKind.Null:
case JsonValueKind.Undefined:
writer.WriteNullValue();
break;
default:
throw new InvalidOperationException($"Unsupported JSON value kind: {element.ValueKind}");
}
}
}