stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

partly or unimplemented features - now implemented

Browse Source
This commit is contained in:
master
2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Contracts/ExploitMaturityModels.cs Normal file
View File

@@ -0,0 +1,88 @@
namespace StellaOps.RiskEngine.Core.Contracts;
/// <summary>
/// Exploit maturity level taxonomy.
/// Ordered from least mature to most mature exploitation.
/// </summary>
public enum ExploitMaturityLevel
{
/// <summary>
/// No known exploitation. No public exploit code, no reports.
/// </summary>
Unknown = 0,
/// <summary>
/// Theoretical exploitation. Vulnerability documented but no proof of concept.
/// </summary>
Theoretical = 1,
/// <summary>
/// Proof of concept exists. Public exploit code available but not weaponized.
/// </summary>
ProofOfConcept = 2,
/// <summary>
/// Active exploitation in the wild. Reports of exploitation but not widespread.
/// </summary>
Active = 3,
/// <summary>
/// Weaponized. Exploit kits, malware, or ransomware using this vulnerability.
/// CISA KEV or similar authoritative source confirms active exploitation.
/// </summary>
Weaponized = 4
}
/// <summary>
/// Evidence source for exploit maturity signal.
/// </summary>
public enum MaturityEvidenceSource
{
/// <summary>EPSS probability score.</summary>
Epss,
/// <summary>CISA Known Exploited Vulnerabilities catalog.</summary>
Kev,
/// <summary>In-the-wild exploitation report (e.g., threat intel feed).</summary>
InTheWild,
/// <summary>Exploit-DB or similar public exploit database.</summary>
ExploitDb,
/// <summary>Nuclei or other vulnerability scanner templates.</summary>
ScannerTemplate,
/// <summary>Internal or user-provided override.</summary>
Override
}
/// <summary>
/// Individual maturity signal from a specific source.
/// </summary>
public sealed record MaturitySignal(
MaturityEvidenceSource Source,
ExploitMaturityLevel Level,
double Confidence,
string? Evidence,
DateTimeOffset? ObservedAt);
/// <summary>
/// Result of exploit maturity assessment.
/// </summary>
public sealed record ExploitMaturityResult(
string CveId,
ExploitMaturityLevel Level,
double Confidence,
IReadOnlyList<MaturitySignal> Signals,
string Rationale,
DateTimeOffset AssessedAt);
/// <summary>
/// Historical maturity state for lifecycle tracking.
/// </summary>
public sealed record MaturityHistoryEntry(
ExploitMaturityLevel Level,
double Confidence,
DateTimeOffset Timestamp,
string ChangeReason);

226
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ExploitMaturityService.cs Normal file
View File

@@ -0,0 +1,226 @@
using Microsoft.Extensions.Logging;
using StellaOps.RiskEngine.Core.Contracts;
using System.Diagnostics.Metrics;
namespace StellaOps.RiskEngine.Core.Providers;
/// <summary>
/// Consolidates EPSS, KEV, and in-the-wild signals into a unified exploit maturity level.
/// Implements deterministic maturity assessment for risk prioritization.
/// </summary>
public sealed class ExploitMaturityService : IExploitMaturityService
{
private static readonly Meter Meter = new("StellaOps.RiskEngine");
private static readonly Histogram<double> AssessmentDuration = Meter.CreateHistogram<double>(
"stellaops_exploit_maturity_assessment_duration_ms",
unit: "ms",
description: "Time to assess exploit maturity");
private static readonly Counter<long> AssessmentCount = Meter.CreateCounter<long>(
"stellaops_exploit_maturity_assessments_total",
unit: "assessments",
description: "Total exploit maturity assessments");
/// <summary>
/// EPSS thresholds for maturity level mapping.
/// Based on EPSS percentile/probability research.
/// </summary>
public static readonly IReadOnlyList<(double Score, ExploitMaturityLevel Level)> EpssThresholds =
[
(0.80, ExploitMaturityLevel.Weaponized), // Very high exploitation probability
(0.40, ExploitMaturityLevel.Active), // High exploitation probability
(0.10, ExploitMaturityLevel.ProofOfConcept), // Moderate exploitation probability
(0.01, ExploitMaturityLevel.Theoretical), // Low exploitation probability
];
private readonly IEpssSource _epss;
private readonly IKevSource _kev;
private readonly IInTheWildSource? _inTheWild;
private readonly ILogger<ExploitMaturityService> _logger;
private readonly TimeProvider _timeProvider;
public ExploitMaturityService(
IEpssSource epss,
IKevSource kev,
IInTheWildSource? inTheWild = null,
ILogger<ExploitMaturityService>? logger = null,
TimeProvider? timeProvider = null)
{
_epss = epss ?? throw new ArgumentNullException(nameof(epss));
_kev = kev ?? throw new ArgumentNullException(nameof(kev));
_inTheWild = inTheWild;
_logger = logger ?? Microsoft.Extensions.Logging.Abstractions.NullLogger<ExploitMaturityService>.Instance;
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
public async Task<ExploitMaturityResult> AssessMaturityAsync(string cveId, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(cveId);
var startTime = _timeProvider.GetTimestamp();
var signals = new List<MaturitySignal>();
var now = _timeProvider.GetUtcNow();
try
{
// Fetch all signals in parallel
var epssTask = _epss.GetEpssAsync(cveId, cancellationToken);
var kevTask = _kev.IsKevAsync(cveId, cancellationToken);
var inTheWildTask = _inTheWild?.IsExploitedInTheWildAsync(cveId, cancellationToken)
?? Task.FromResult<InTheWildResult?>(null);
await Task.WhenAll(epssTask, kevTask, inTheWildTask).ConfigureAwait(false);
// Process EPSS signal
var epssData = epssTask.Result;
if (epssData is not null)
{
var epssLevel = MapEpssToMaturityLevel(epssData.Score);
signals.Add(new MaturitySignal(
Source: MaturityEvidenceSource.Epss,
Level: epssLevel,
Confidence: ComputeEpssConfidence(epssData.Score, epssData.Percentile),
Evidence: $"EPSS score: {epssData.Score:F4}, percentile: {epssData.Percentile:P1}",
ObservedAt: now));
}
// Process KEV signal
var isKev = kevTask.Result ?? false;
if (isKev)
{
signals.Add(new MaturitySignal(
Source: MaturityEvidenceSource.Kev,
Level: ExploitMaturityLevel.Weaponized,
Confidence: 0.95, // KEV is authoritative
Evidence: "Listed in CISA Known Exploited Vulnerabilities catalog",
ObservedAt: now));
}
// Process in-the-wild signal
var inTheWildData = inTheWildTask.Result;
if (inTheWildData?.IsExploited == true)
{
signals.Add(new MaturitySignal(
Source: MaturityEvidenceSource.InTheWild,
Level: ExploitMaturityLevel.Active,
Confidence: inTheWildData.Confidence,
Evidence: inTheWildData.Evidence,
ObservedAt: inTheWildData.ObservedAt ?? now));
}
// Compute final maturity level
var (level, confidence, rationale) = ComputeFinalMaturity(signals);
// Record metrics
var duration = _timeProvider.GetElapsedTime(startTime).TotalMilliseconds;
AssessmentDuration.Record(duration, new KeyValuePair<string, object?>("cve", cveId));
AssessmentCount.Add(1, new KeyValuePair<string, object?>("level", level.ToString()));
_logger.LogDebug(
"Assessed exploit maturity for {CveId}: {Level} (confidence={Confidence:F2})",
cveId, level, confidence);
return new ExploitMaturityResult(
CveId: cveId,
Level: level,
Confidence: confidence,
Signals: signals,
Rationale: rationale,
AssessedAt: now);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to assess exploit maturity for {CveId}", cveId);
throw;
}
}
/// <inheritdoc />
public Task<ExploitMaturityLevel?> GetMaturityLevelAsync(string cveId, CancellationToken cancellationToken = default)
{
// For now, always compute fresh. A production implementation would cache results.
return AssessMaturityAsync(cveId, cancellationToken)
.ContinueWith(t => (ExploitMaturityLevel?)t.Result.Level, TaskContinuationOptions.OnlyOnRanToCompletion);
}
/// <inheritdoc />
public Task<IReadOnlyList<MaturityHistoryEntry>> GetMaturityHistoryAsync(string cveId, CancellationToken cancellationToken = default)
{
// History tracking requires persistence; return empty for now.
// A production implementation would store and retrieve historical entries.
return Task.FromResult<IReadOnlyList<MaturityHistoryEntry>>(Array.Empty<MaturityHistoryEntry>());
}
/// <summary>
/// Maps EPSS score to a maturity level.
/// </summary>
private static ExploitMaturityLevel MapEpssToMaturityLevel(double epssScore)
{
foreach (var (threshold, level) in EpssThresholds)
{
if (epssScore >= threshold)
return level;
}
return ExploitMaturityLevel.Unknown;
}
/// <summary>
/// Computes confidence based on EPSS score and percentile.
/// Higher percentile = higher confidence in the signal.
/// </summary>
private static double ComputeEpssConfidence(double score, double percentile)
{
// Confidence based on percentile (more extreme = more confident)
// Percentile 0.99 -> confidence 0.9
// Percentile 0.50 -> confidence 0.5
// Percentile 0.10 -> confidence 0.4
var baseConfidence = percentile >= 0.90 ? 0.9
: percentile >= 0.50 ? 0.6 + (percentile - 0.50) * 0.75
: 0.4 + percentile * 0.2;
return Math.Clamp(baseConfidence, 0.0, 1.0);
}
/// <summary>
/// Computes final maturity level from all signals using max-level with weighted confidence.
/// </summary>
private static (ExploitMaturityLevel Level, double Confidence, string Rationale) ComputeFinalMaturity(
IReadOnlyList<MaturitySignal> signals)
{
if (signals.Count == 0)
{
return (ExploitMaturityLevel.Unknown, 0.0, "No exploit maturity signals available");
}
// Take the highest maturity level across all signals
var maxLevel = signals.Max(s => s.Level);
var maxLevelSignals = signals.Where(s => s.Level == maxLevel).ToList();
// Weighted average confidence for signals at max level
var totalConfidence = maxLevelSignals.Sum(s => s.Confidence);
var avgConfidence = totalConfidence / maxLevelSignals.Count;
// Build rationale
var sources = string.Join(", ", maxLevelSignals.Select(s => s.Source.ToString()));
var rationale = $"Maturity level {maxLevel} determined by {sources} ({maxLevelSignals.Count} signal(s))";
return (maxLevel, avgConfidence, rationale);
}
}
/// <summary>
/// Interface for in-the-wild exploitation data source.
/// </summary>
public interface IInTheWildSource
{
Task<InTheWildResult?> IsExploitedInTheWildAsync(string cveId, CancellationToken cancellationToken = default);
}
/// <summary>
/// Result from in-the-wild exploitation check.
/// </summary>
public sealed record InTheWildResult(
bool IsExploited,
double Confidence,
string? Evidence,
DateTimeOffset? ObservedAt);

33
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IExploitMaturityService.cs Normal file
View File

@@ -0,0 +1,33 @@
using StellaOps.RiskEngine.Core.Contracts;
namespace StellaOps.RiskEngine.Core.Providers;
/// <summary>
/// Interface for exploit maturity mapping service.
/// </summary>
public interface IExploitMaturityService
{
/// <summary>
/// Assesses exploit maturity for a CVE by consolidating all available signals.
/// </summary>
/// <param name="cveId">CVE identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Exploit maturity assessment result.</returns>
Task<ExploitMaturityResult> AssessMaturityAsync(string cveId, CancellationToken cancellationToken = default);
/// <summary>
/// Gets the current maturity level for a CVE.
/// </summary>
/// <param name="cveId">CVE identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Current maturity level or null if not assessed.</returns>
Task<ExploitMaturityLevel?> GetMaturityLevelAsync(string cveId, CancellationToken cancellationToken = default);
/// <summary>
/// Gets maturity lifecycle history for a CVE.
/// </summary>
/// <param name="cveId">CVE identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>History of maturity changes.</returns>
Task<IReadOnlyList<MaturityHistoryEntry>> GetMaturityHistoryAsync(string cveId, CancellationToken cancellationToken = default);
}

201
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/ExploitMaturityApiTests.cs Normal file
View File

@@ -0,0 +1,201 @@
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Microsoft.Extensions.DependencyInjection;
using StellaOps.RiskEngine.Core.Contracts;
using StellaOps.RiskEngine.Core.Providers;
using System.Net;
using System.Net.Http.Json;
using System.Text.Json;
namespace StellaOps.RiskEngine.Tests;
/// <summary>
/// API contract tests for exploit maturity endpoints.
/// </summary>
public sealed class ExploitMaturityApiTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly JsonSerializerOptions _jsonOptions = new() { PropertyNameCaseInsensitive = true };
public ExploitMaturityApiTests(WebApplicationFactory<Program> factory)
{
// Configure test services
_factory = factory.WithWebHostBuilder(builder =>
{
builder.ConfigureServices(services =>
{
// Replace with test sources
services.AddSingleton<IEpssSource>(new InMemoryEpssSource(new Dictionary<string, EpssData>
{
["CVE-2024-1234"] = new EpssData(0.85, 0.98),
["CVE-2024-5678"] = new EpssData(0.15, 0.55)
}));
});
});
}
#region GET /exploit-maturity/{cveId}
[Fact]
public async Task GetExploitMaturity_ValidCve_ReturnsResult()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/CVE-2024-1234");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var result = await response.Content.ReadFromJsonAsync<ExploitMaturityResult>(_jsonOptions);
result.Should().NotBeNull();
result!.CveId.Should().Be("CVE-2024-1234");
result.Level.Should().Be(ExploitMaturityLevel.Weaponized);
}
[Fact]
public async Task GetExploitMaturity_UnknownCve_ReturnsUnknownLevel()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/CVE-2099-9999");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var result = await response.Content.ReadFromJsonAsync<ExploitMaturityResult>(_jsonOptions);
result.Should().NotBeNull();
result!.CveId.Should().Be("CVE-2099-9999");
result.Level.Should().Be(ExploitMaturityLevel.Unknown);
}
[Fact]
public async Task GetExploitMaturity_EmptyCveId_ReturnsBadRequest()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/%20");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
}
#endregion
#region GET /exploit-maturity/{cveId}/level
[Fact]
public async Task GetExploitMaturityLevel_ValidCve_ReturnsLevel()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/CVE-2024-5678/level");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var content = await response.Content.ReadAsStringAsync();
content.Should().Contain("level");
}
#endregion
#region GET /exploit-maturity/{cveId}/history
[Fact]
public async Task GetExploitMaturityHistory_ReturnsEmptyList()
{
// Arrange (history not persisted in base implementation)
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/CVE-2024-1234/history");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var content = await response.Content.ReadAsStringAsync();
content.Should().Contain("entries");
}
#endregion
#region POST /exploit-maturity/batch
[Fact]
public async Task BatchAssessMaturity_ValidRequest_ReturnsResults()
{
// Arrange
var client = _factory.CreateClient();
var request = new { CveIds = new[] { "CVE-2024-1234", "CVE-2024-5678" } };
// Act
var response = await client.PostAsJsonAsync("/exploit-maturity/batch", request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var content = await response.Content.ReadAsStringAsync();
content.Should().Contain("results");
content.Should().Contain("CVE-2024-1234");
content.Should().Contain("CVE-2024-5678");
}
[Fact]
public async Task BatchAssessMaturity_EmptyList_ReturnsBadRequest()
{
// Arrange
var client = _factory.CreateClient();
var request = new { CveIds = Array.Empty<string>() };
// Act
var response = await client.PostAsJsonAsync("/exploit-maturity/batch", request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
}
[Fact]
public async Task BatchAssessMaturity_DeduplicatesCves()
{
// Arrange
var client = _factory.CreateClient();
var request = new { CveIds = new[] { "CVE-2024-1234", "CVE-2024-1234", "CVE-2024-1234" } };
// Act
var response = await client.PostAsJsonAsync("/exploit-maturity/batch", request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var content = await response.Content.ReadAsStringAsync();
// Count occurrences - should have single result
var occurrences = content.Split("CVE-2024-1234").Length - 1;
occurrences.Should().BeGreaterOrEqualTo(1);
}
#endregion
#region Response Contract Tests
[Fact]
public async Task GetExploitMaturity_ResponseIncludesAllFields()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/exploit-maturity/CVE-2024-1234");
var content = await response.Content.ReadAsStringAsync();
// Assert: All required fields present
content.Should().Contain("cveId");
content.Should().Contain("level");
content.Should().Contain("confidence");
content.Should().Contain("signals");
content.Should().Contain("assessedAt");
}
#endregion
}

317
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/ExploitMaturityServiceTests.cs Normal file
View File

@@ -0,0 +1,317 @@
using FluentAssertions;
using StellaOps.RiskEngine.Core.Contracts;
using StellaOps.RiskEngine.Core.Providers;
using Microsoft.Extensions.Time.Testing;
namespace StellaOps.RiskEngine.Tests;
/// <summary>
/// Unit tests for ExploitMaturityService.
/// Verifies EPSS/KEV/InTheWild signal aggregation to maturity levels.
/// </summary>
public sealed class ExploitMaturityServiceTests
{
private readonly FakeTimeProvider _timeProvider = new(new DateTimeOffset(2026, 1, 15, 12, 0, 0, TimeSpan.Zero));
#region Test Infrastructure
private sealed class TestEpssSource : IEpssSource
{
private readonly Dictionary<string, EpssData> _data = new(StringComparer.OrdinalIgnoreCase);
public void SetEpss(string cveId, double score, double percentile) =>
_data[cveId] = new EpssData(score, percentile);
public Task<EpssData?> GetEpssAsync(string cveId, CancellationToken cancellationToken)
{
_data.TryGetValue(cveId, out var result);
return Task.FromResult(result);
}
}
private sealed class TestKevSource : IKevSource
{
private readonly HashSet<string> _kevIds = new(StringComparer.OrdinalIgnoreCase);
public void MarkKev(string cveId) => _kevIds.Add(cveId);
public Task<bool?> IsKevAsync(string subject, CancellationToken cancellationToken) =>
Task.FromResult<bool?>(_kevIds.Contains(subject));
}
private sealed class TestInTheWildSource : IInTheWildSource
{
private readonly Dictionary<string, InTheWildResult> _data = new(StringComparer.OrdinalIgnoreCase);
public void SetExploited(string cveId, double confidence, string? evidence = null, DateTimeOffset? observedAt = null) =>
_data[cveId] = new InTheWildResult(true, confidence, evidence ?? "Observed in the wild", observedAt);
public Task<InTheWildResult?> IsExploitedInTheWildAsync(string cveId, CancellationToken cancellationToken)
{
_data.TryGetValue(cveId, out var result);
return Task.FromResult(result);
}
}
#endregion
#region Basic Signal Mapping Tests
[Fact]
public async Task NoSignals_ReturnsUnknown()
{
// Arrange
var epss = new TestEpssSource();
var kev = new TestKevSource();
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Unknown);
result.Confidence.Should().Be(0.0);
result.Signals.Should().BeEmpty();
}
[Theory]
[InlineData(0.005, ExploitMaturityLevel.Unknown)] // Below threshold
[InlineData(0.01, ExploitMaturityLevel.Theoretical)] // Threshold boundary
[InlineData(0.05, ExploitMaturityLevel.Theoretical)] // Within band
[InlineData(0.10, ExploitMaturityLevel.ProofOfConcept)] // Threshold boundary
[InlineData(0.25, ExploitMaturityLevel.ProofOfConcept)] // Within band
[InlineData(0.40, ExploitMaturityLevel.Active)] // Threshold boundary
[InlineData(0.60, ExploitMaturityLevel.Active)] // Within band
[InlineData(0.80, ExploitMaturityLevel.Weaponized)] // Threshold boundary
[InlineData(0.95, ExploitMaturityLevel.Weaponized)] // High score
public async Task EpssOnly_MapsToCorrectLevel(double epssScore, ExploitMaturityLevel expectedLevel)
{
// Arrange
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", epssScore, 0.50);
var kev = new TestKevSource();
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(expectedLevel);
if (expectedLevel != ExploitMaturityLevel.Unknown)
{
result.Signals.Should().ContainSingle()
.Which.Source.Should().Be(MaturityEvidenceSource.Epss);
}
}
[Fact]
public async Task KevOnly_ReturnsWeaponized()
{
// Arrange
var epss = new TestEpssSource();
var kev = new TestKevSource();
kev.MarkKev("CVE-2024-0001");
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Weaponized);
result.Confidence.Should().Be(0.95);
result.Signals.Should().ContainSingle()
.Which.Source.Should().Be(MaturityEvidenceSource.Kev);
}
[Fact]
public async Task InTheWildOnly_ReturnsActive()
{
// Arrange
var epss = new TestEpssSource();
var kev = new TestKevSource();
var inTheWild = new TestInTheWildSource();
inTheWild.SetExploited("CVE-2024-0001", 0.85, "Observed by threat intel feeds");
var sut = new ExploitMaturityService(epss, kev, inTheWild, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Active);
result.Confidence.Should().Be(0.85);
result.Signals.Should().ContainSingle()
.Which.Source.Should().Be(MaturityEvidenceSource.InTheWild);
}
#endregion
#region Signal Aggregation Tests
[Fact]
public async Task KevAndEpss_TakesHigherLevel()
{
// Arrange: EPSS suggests ProofOfConcept, KEV suggests Weaponized
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.15, 0.75);
var kev = new TestKevSource();
kev.MarkKev("CVE-2024-0001");
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Weaponized);
result.Signals.Should().HaveCount(2);
}
[Fact]
public async Task AllSignalsAgree_AveragesConfidence()
{
// Arrange: All signals indicate Weaponized
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.85, 0.99);
var kev = new TestKevSource();
kev.MarkKev("CVE-2024-0001");
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Weaponized);
result.Signals.Should().HaveCount(2);
// Both KEV (0.95) and EPSS (high conf) contribute
result.Confidence.Should().BeGreaterThan(0.8);
}
[Fact]
public async Task MixedLevels_TakesMaxLevel()
{
// Arrange: InTheWild=Active, EPSS=Theoretical
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.02, 0.30);
var kev = new TestKevSource();
var inTheWild = new TestInTheWildSource();
inTheWild.SetExploited("CVE-2024-0001", 0.70);
var sut = new ExploitMaturityService(epss, kev, inTheWild, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Level.Should().Be(ExploitMaturityLevel.Active);
result.Signals.Should().HaveCount(2);
}
#endregion
#region EPSS Confidence Tests
[Theory]
[InlineData(0.99, 0.9)] // High percentile = high confidence
[InlineData(0.90, 0.9)] // 90th percentile = high confidence
[InlineData(0.50, 0.6)] // 50th percentile = base
[InlineData(0.10, 0.42)] // Low percentile = lower confidence
public async Task EpssConfidence_ScalesWithPercentile(double percentile, double expectedMinConfidence)
{
// Arrange
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.50, percentile);
var kev = new TestKevSource();
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result.Signals.Single().Confidence.Should().BeGreaterThanOrEqualTo(expectedMinConfidence);
}
#endregion
#region Error Handling
[Fact]
public async Task NullCveId_ThrowsArgumentException()
{
// Arrange
var sut = new ExploitMaturityService(new TestEpssSource(), new TestKevSource(), null, null, _timeProvider);
// Act & Assert
await Assert.ThrowsAsync<ArgumentException>(() => sut.AssessMaturityAsync(null!));
}
[Fact]
public async Task EmptyCveId_ThrowsArgumentException()
{
// Arrange
var sut = new ExploitMaturityService(new TestEpssSource(), new TestKevSource(), null, null, _timeProvider);
// Act & Assert
await Assert.ThrowsAsync<ArgumentException>(() => sut.AssessMaturityAsync(""));
}
#endregion
#region GetMaturityLevelAsync Tests
[Fact]
public async Task GetMaturityLevelAsync_ReturnsLevel()
{
// Arrange
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.50, 0.80);
var kev = new TestKevSource();
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result = await sut.GetMaturityLevelAsync("CVE-2024-0001");
// Assert
result.Should().Be(ExploitMaturityLevel.Active);
}
#endregion
#region GetMaturityHistoryAsync Tests
[Fact]
public async Task GetMaturityHistoryAsync_ReturnsEmpty()
{
// Arrange (history not implemented yet)
var sut = new ExploitMaturityService(new TestEpssSource(), new TestKevSource(), null, null, _timeProvider);
// Act
var result = await sut.GetMaturityHistoryAsync("CVE-2024-0001");
// Assert
result.Should().BeEmpty();
}
#endregion
#region Determinism Tests
[Fact]
public async Task SameInputs_ProducesSameOutputs()
{
// Arrange
var epss = new TestEpssSource();
epss.SetEpss("CVE-2024-0001", 0.35, 0.70);
var kev = new TestKevSource();
kev.MarkKev("CVE-2024-0001");
var sut = new ExploitMaturityService(epss, kev, null, null, _timeProvider);
// Act
var result1 = await sut.AssessMaturityAsync("CVE-2024-0001");
var result2 = await sut.AssessMaturityAsync("CVE-2024-0001");
// Assert
result1.Level.Should().Be(result2.Level);
result1.Confidence.Should().Be(result2.Confidence);
result1.Signals.Count.Should().Be(result2.Signals.Count);
}
#endregion
}

133
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Endpoints/ExploitMaturityEndpoints.cs Normal file
View File

@@ -0,0 +1,133 @@
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Routing;
using StellaOps.RiskEngine.Core.Contracts;
using StellaOps.RiskEngine.Core.Providers;
namespace StellaOps.RiskEngine.WebService.Endpoints;
/// <summary>
/// Minimal API endpoints for exploit maturity assessment.
/// </summary>
public static class ExploitMaturityEndpoints
{
/// <summary>
/// Maps exploit maturity endpoints to the application.
/// </summary>
public static IEndpointRouteBuilder MapExploitMaturityEndpoints(this IEndpointRouteBuilder app)
{
var group = app.MapGroup("/exploit-maturity")
.WithTags("ExploitMaturity")
.WithOpenApi();
// GET /exploit-maturity/{cveId} - Assess exploit maturity for a CVE
group.MapGet("/{cveId}", async (
string cveId,
[FromServices] IExploitMaturityService service,
CancellationToken ct) =>
{
try
{
var result = await service.AssessMaturityAsync(cveId, ct).ConfigureAwait(false);
return Results.Ok(result);
}
catch (ArgumentException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
})
.WithName("GetExploitMaturity")
.WithSummary("Assess exploit maturity for a CVE")
.WithDescription("Returns unified maturity level based on EPSS, KEV, and in-the-wild signals.")
.Produces<ExploitMaturityResult>()
.ProducesProblem(400);
// GET /exploit-maturity/{cveId}/level - Get just the maturity level
group.MapGet("/{cveId}/level", async (
string cveId,
[FromServices] IExploitMaturityService service,
CancellationToken ct) =>
{
try
{
var level = await service.GetMaturityLevelAsync(cveId, ct).ConfigureAwait(false);
return level.HasValue
? Results.Ok(new { cveId, level = level.Value.ToString() })
: Results.NotFound(new { cveId, error = "Maturity level could not be determined" });
}
catch (ArgumentException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
})
.WithName("GetExploitMaturityLevel")
.WithSummary("Get exploit maturity level for a CVE")
.WithDescription("Returns the maturity level without full signal details.");
// GET /exploit-maturity/{cveId}/history - Get maturity history
group.MapGet("/{cveId}/history", async (
string cveId,
[FromServices] IExploitMaturityService service,
CancellationToken ct) =>
{
try
{
var history = await service.GetMaturityHistoryAsync(cveId, ct).ConfigureAwait(false);
return Results.Ok(new { cveId, entries = history });
}
catch (ArgumentException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
})
.WithName("GetExploitMaturityHistory")
.WithSummary("Get exploit maturity history for a CVE")
.WithDescription("Returns historical maturity level changes for a CVE.");
// POST /exploit-maturity/batch - Batch assess multiple CVEs
group.MapPost("/batch", async (
BatchMaturityRequest request,
[FromServices] IExploitMaturityService service,
CancellationToken ct) =>
{
if (request.CveIds is null || request.CveIds.Count == 0)
{
return Results.BadRequest(new { error = "CveIds list is required" });
}
var results = new List<ExploitMaturityResult>();
var errors = new List<BatchError>();
foreach (var cveId in request.CveIds.Distinct())
{
try
{
var result = await service.AssessMaturityAsync(cveId, ct).ConfigureAwait(false);
results.Add(result);
}
catch (ArgumentException ex)
{
errors.Add(new BatchError(cveId, ex.Message));
}
}
return Results.Ok(new { results, errors });
})
.WithName("BatchAssessExploitMaturity")
.WithSummary("Batch assess exploit maturity for multiple CVEs")
.WithDescription("Returns maturity assessments for all requested CVEs.");
return app;
}
}
/// <summary>
/// Request for batch maturity assessment.
/// </summary>
public sealed record BatchMaturityRequest(IReadOnlyList<string>? CveIds);
/// <summary>
/// Error entry in batch response.
/// </summary>
public sealed record BatchError(string CveId, string Error);

9
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs
View File

@@ -5,6 +5,7 @@ using StellaOps.RiskEngine.Core.Contracts;
using StellaOps.RiskEngine.Core.Providers;
using StellaOps.RiskEngine.Core.Services;
using StellaOps.RiskEngine.Infrastructure.Stores;
using StellaOps.RiskEngine.WebService.Endpoints;
using StellaOps.Router.AspNet;
using System.Linq;
@@ -23,6 +24,11 @@ builder.Services.AddSingleton<IRiskScoreProviderRegistry>(_ =>
new FixExposureProvider()
}));
// Exploit Maturity Service registration
builder.Services.AddSingleton<IEpssSource, NullEpssSource>();
builder.Services.AddSingleton<IKevSource, NullKevSource>();
builder.Services.AddSingleton<IExploitMaturityService, ExploitMaturityService>();
// Stella Router integration
var routerOptions = builder.Configuration.GetSection("RiskEngine:Router").Get<StellaRouterOptionsBase>();
builder.Services.TryAddStellaRouter(
@@ -45,6 +51,9 @@ app.UseStellaOpsCors();
app.UseHttpsRedirection();
app.TryUseStellaRouter(routerOptions);
// Map exploit maturity endpoints
app.MapExploitMaturityEndpoints();
app.MapGet("/risk-scores/providers", (IRiskScoreProviderRegistry registry) =>
Results.Ok(new { providers = registry.ProviderNames.OrderBy(n => n, StringComparer.OrdinalIgnoreCase) }));