Add call graph fixtures for various languages and scenarios
Some checks failed
Reachability Corpus Validation / validate-corpus (push) Waiting to run
Reachability Corpus Validation / validate-ground-truths (push) Waiting to run
Reachability Corpus Validation / determinism-check (push) Blocked by required conditions
Scanner Analyzers / Discover Analyzers (push) Waiting to run
Scanner Analyzers / Build Analyzers (push) Blocked by required conditions
Scanner Analyzers / Test Language Analyzers (push) Blocked by required conditions
Scanner Analyzers / Validate Test Fixtures (push) Waiting to run
Scanner Analyzers / Verify Deterministic Output (push) Blocked by required conditions
Signals CI & Image / signals-ci (push) Waiting to run
Signals Reachability Scoring & Events / reachability-smoke (push) Waiting to run
Signals Reachability Scoring & Events / sign-and-upload (push) Blocked by required conditions
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Some checks failed
Reachability Corpus Validation / validate-corpus (push) Waiting to run
Reachability Corpus Validation / validate-ground-truths (push) Waiting to run
Reachability Corpus Validation / determinism-check (push) Blocked by required conditions
Scanner Analyzers / Discover Analyzers (push) Waiting to run
Scanner Analyzers / Build Analyzers (push) Blocked by required conditions
Scanner Analyzers / Test Language Analyzers (push) Blocked by required conditions
Scanner Analyzers / Validate Test Fixtures (push) Waiting to run
Scanner Analyzers / Verify Deterministic Output (push) Blocked by required conditions
Signals CI & Image / signals-ci (push) Waiting to run
Signals Reachability Scoring & Events / reachability-smoke (push) Waiting to run
Signals Reachability Scoring & Events / sign-and-upload (push) Blocked by required conditions
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET. - Added `all-visibility-levels.json` to validate method visibility levels in .NET. - Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application. - Included `go-gin-api.json` for a Go Gin API application structure. - Added `java-spring-boot.json` for the Spring PetClinic application in Java. - Introduced `legacy-no-schema.json` for legacy application structure without schema. - Created `node-express-api.json` for an Express.js API application structure.
This commit is contained in:
master
104
etc/score-policy.yaml.sample
Normal file
104
etc/score-policy.yaml.sample
Normal file
@@ -0,0 +1,104 @@
|
||||
# StellaOps Score Policy Configuration
|
||||
# Policy version: score.v1
|
||||
#
|
||||
# This file defines deterministic vulnerability scoring weights, buckets, and overrides.
|
||||
# All weight values are in basis points (bps), where 10000 = 100%.
|
||||
# The weightsBps values must sum to exactly 10000.
|
||||
|
||||
policyVersion: score.v1
|
||||
|
||||
# Weight distribution for score calculation (in basis points, sum = 10000)
|
||||
weightsBps:
|
||||
baseSeverity: 1000 # 10% - Base CVSS/severity score contribution
|
||||
reachability: 4500 # 45% - Reachability analysis contribution
|
||||
evidence: 3000 # 30% - Evidence/proof contribution
|
||||
provenance: 1500 # 15% - Supply chain provenance contribution
|
||||
|
||||
# Reachability scoring configuration
|
||||
reachability:
|
||||
# Hop bucket scoring: score decreases as number of hops increases
|
||||
hopBuckets:
|
||||
- maxHops: 0 # Direct call to vulnerable function
|
||||
score: 100
|
||||
- maxHops: 1 # 1 hop away
|
||||
score: 90
|
||||
- maxHops: 3 # 2-3 hops away
|
||||
score: 70
|
||||
- maxHops: 5 # 4-5 hops away
|
||||
score: 50
|
||||
- maxHops: 10 # 6-10 hops away
|
||||
score: 30
|
||||
- maxHops: 9999 # > 10 hops
|
||||
score: 10
|
||||
|
||||
# Score when vulnerability is confirmed unreachable
|
||||
unreachableScore: 0
|
||||
|
||||
# Gate multipliers reduce effective score when protective gates are detected
|
||||
# Values in basis points (10000 = 100%, no reduction)
|
||||
gateMultipliersBps:
|
||||
featureFlag: 7000 # Behind feature flag (30% reduction)
|
||||
authRequired: 8000 # Requires authentication (20% reduction)
|
||||
adminOnly: 8500 # Admin-only access (15% reduction)
|
||||
nonDefaultConfig: 7500 # Requires non-default configuration (25% reduction)
|
||||
|
||||
# Evidence scoring configuration
|
||||
evidence:
|
||||
# Points awarded for different evidence types (0-100)
|
||||
points:
|
||||
runtime: 60 # Runtime/dynamic evidence (highest value)
|
||||
dast: 30 # Dynamic Application Security Testing
|
||||
sast: 20 # Static Application Security Testing
|
||||
sca: 10 # Software Composition Analysis (baseline)
|
||||
|
||||
# Evidence freshness decay buckets
|
||||
# multiplierBps: how much of evidence value to apply based on age
|
||||
freshnessBuckets:
|
||||
- maxAgeDays: 7 # Fresh evidence (0-7 days): full value
|
||||
multiplierBps: 10000
|
||||
- maxAgeDays: 30 # Recent evidence (8-30 days): 90% value
|
||||
multiplierBps: 9000
|
||||
- maxAgeDays: 90 # Moderate age (31-90 days): 70% value
|
||||
multiplierBps: 7000
|
||||
- maxAgeDays: 180 # Aging evidence (91-180 days): 50% value
|
||||
multiplierBps: 5000
|
||||
- maxAgeDays: 365 # Old evidence (181-365 days): 30% value
|
||||
multiplierBps: 3000
|
||||
- maxAgeDays: 9999 # Stale evidence (> 1 year): 10% value
|
||||
multiplierBps: 1000
|
||||
|
||||
# Provenance scoring configuration
|
||||
provenance:
|
||||
# Scores for different provenance levels (0-100)
|
||||
levels:
|
||||
unsigned: 0 # No signature
|
||||
signed: 30 # Signed artifact
|
||||
signedWithSbom: 60 # Signed with SBOM
|
||||
signedWithSbomAndAttestations: 80 # Signed with SBOM and attestations
|
||||
reproducible: 100 # Fully reproducible build
|
||||
|
||||
# Score overrides for special conditions
|
||||
# Overrides are evaluated in order; first matching rule applies
|
||||
overrides:
|
||||
# Example: Clamp maximum score for behind feature flags with low reachability
|
||||
- name: feature-flag-unreachable
|
||||
when:
|
||||
flags:
|
||||
featureFlag: true
|
||||
maxReachability: 20
|
||||
clampMaxScore: 30
|
||||
|
||||
# Example: Minimum score for critical vulnerabilities even if unreachable
|
||||
- name: critical-minimum
|
||||
when:
|
||||
flags:
|
||||
isCritical: true
|
||||
maxReachability: 0
|
||||
clampMinScore: 25
|
||||
|
||||
# Example: Override for known exploited vulnerabilities (KEV)
|
||||
- name: kev-boost
|
||||
when:
|
||||
flags:
|
||||
isKev: true
|
||||
clampMinScore: 70
|
||||
Reference in New Issue
Block a user