Add call graph fixtures for various languages and scenarios

- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET. - Added `all-visibility-levels.json` to validate method visibility levels in .NET. - Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application. - Included `go-gin-api.json` for a Go Gin API application structure. - Added `java-spring-boot.json` for the Spring PetClinic application in Java. - Introduced `legacy-no-schema.json` for legacy application structure without schema. - Created `node-express-api.json` for an Express.js API application structure.
2025-12-16 10:44:24 +02:00
parent 4391f35d8a
commit 5a480a3c2a
223 changed files with 19367 additions and 727 deletions
--- a/docs/signals/unknowns-registry.md
+++ b/docs/signals/unknowns-registry.md
@@ -46,6 +46,22 @@ All endpoints are additive; no hard deletes. Payloads must include tenant bindin
 - Policy can block `not_affected` claims when `unknowns_pressure` exceeds thresholds.
 - UI/CLI show unknown chips with reason and depth; operators can triage or suppress.

+### 5.1 Multi-Factor Ranking
+
+Unknowns are ranked using a 5-factor scoring algorithm that computes a composite score from:
+- **Popularity (P)** - Deployment impact based on usage count
+- **Exploit Potential (E)** - CVE severity if known
+- **Uncertainty (U)** - Accumulated flag weights
+- **Centrality (C)** - Graph position importance (betweenness)
+- **Staleness (S)** - Evidence age since last analysis
+
+Based on the composite score, unknowns are assigned to triage bands:
+- **HOT** (score >= 0.70): Immediate rescan, 15-minute scheduling
+- **WARM** (0.40 <= score < 0.70): Scheduled rescan within 12-72h
+- **COLD** (score < 0.40): Weekly batch processing
+
+See [Unknowns Ranking Algorithm](./unknowns-ranking.md) for the complete formula reference.
+
 ## 6. Storage & CAS

 - Primary store: append-only KV/graph in Mongo (collections `unknowns`, `unknown_metrics`).