Add Canonical JSON serialization library with tests and documentation
- Implemented CanonJson class for deterministic JSON serialization and hashing. - Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters. - Created project files for the Canonical JSON library and its tests, including necessary package references. - Added README.md for library usage and API reference. - Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.
This commit is contained in:
master
@@ -0,0 +1,296 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// AssumptionPenalties.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: D-SCORE-002 - Assumption penalties in score calculation
|
||||
// Description: Penalties applied when scoring relies on assumptions.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Policy.Scoring;
|
||||
|
||||
/// <summary>
|
||||
/// Types of assumptions that incur scoring penalties.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum AssumptionType
|
||||
{
|
||||
/// <summary>Assumed vulnerable code is reachable (no reachability analysis).</summary>
|
||||
AssumedReachable,
|
||||
|
||||
/// <summary>Assumed VEX status from source without verification.</summary>
|
||||
AssumedVexStatus,
|
||||
|
||||
/// <summary>Assumed SBOM completeness (no SBOM validation).</summary>
|
||||
AssumedSbomComplete,
|
||||
|
||||
/// <summary>Assumed feed is current (stale feed data).</summary>
|
||||
AssumedFeedCurrent,
|
||||
|
||||
/// <summary>Assumed default CVSS metrics (no specific vector).</summary>
|
||||
AssumedDefaultCvss,
|
||||
|
||||
/// <summary>Assumed package version (ambiguous version).</summary>
|
||||
AssumedPackageVersion,
|
||||
|
||||
/// <summary>Assumed deployment context (no runtime info).</summary>
|
||||
AssumedDeploymentContext,
|
||||
|
||||
/// <summary>Assumed transitive dependency (unverified chain).</summary>
|
||||
AssumedTransitiveDep,
|
||||
|
||||
/// <summary>Assumed no compensating controls.</summary>
|
||||
AssumedNoControls,
|
||||
|
||||
/// <summary>Assumed exploit exists (no PoC verification).</summary>
|
||||
AssumedExploitExists
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Configuration for assumption penalties.
|
||||
/// </summary>
|
||||
public sealed record AssumptionPenaltyConfig
|
||||
{
|
||||
/// <summary>
|
||||
/// Default penalties by assumption type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("penalties")]
|
||||
public ImmutableDictionary<AssumptionType, double> Penalties { get; init; } =
|
||||
DefaultPenalties;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to compound penalties (multiply) or add them.
|
||||
/// </summary>
|
||||
[JsonPropertyName("compoundPenalties")]
|
||||
public bool CompoundPenalties { get; init; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Maximum total penalty (floor for confidence).
|
||||
/// </summary>
|
||||
[JsonPropertyName("maxTotalPenalty")]
|
||||
public double MaxTotalPenalty { get; init; } = 0.7;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum confidence score after penalties.
|
||||
/// </summary>
|
||||
[JsonPropertyName("minConfidence")]
|
||||
public double MinConfidence { get; init; } = 0.1;
|
||||
|
||||
/// <summary>
|
||||
/// Default assumption penalties.
|
||||
/// </summary>
|
||||
public static readonly ImmutableDictionary<AssumptionType, double> DefaultPenalties =
|
||||
new Dictionary<AssumptionType, double>
|
||||
{
|
||||
[AssumptionType.AssumedReachable] = 0.15,
|
||||
[AssumptionType.AssumedVexStatus] = 0.10,
|
||||
[AssumptionType.AssumedSbomComplete] = 0.12,
|
||||
[AssumptionType.AssumedFeedCurrent] = 0.08,
|
||||
[AssumptionType.AssumedDefaultCvss] = 0.05,
|
||||
[AssumptionType.AssumedPackageVersion] = 0.10,
|
||||
[AssumptionType.AssumedDeploymentContext] = 0.07,
|
||||
[AssumptionType.AssumedTransitiveDep] = 0.05,
|
||||
[AssumptionType.AssumedNoControls] = 0.08,
|
||||
[AssumptionType.AssumedExploitExists] = 0.06
|
||||
}.ToImmutableDictionary();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// An assumption made during scoring.
|
||||
/// </summary>
|
||||
public sealed record ScoringAssumption
|
||||
{
|
||||
/// <summary>
|
||||
/// Type of assumption.
|
||||
/// </summary>
|
||||
[JsonPropertyName("type")]
|
||||
public required AssumptionType Type { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Human-readable description.
|
||||
/// </summary>
|
||||
[JsonPropertyName("description")]
|
||||
public required string Description { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Penalty applied for this assumption.
|
||||
/// </summary>
|
||||
[JsonPropertyName("penalty")]
|
||||
public required double Penalty { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// What would remove this assumption.
|
||||
/// </summary>
|
||||
[JsonPropertyName("resolutionHint")]
|
||||
public string? ResolutionHint { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Related finding or component ID.
|
||||
/// </summary>
|
||||
[JsonPropertyName("relatedId")]
|
||||
public string? RelatedId { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Result of applying assumption penalties.
|
||||
/// </summary>
|
||||
public sealed record AssumptionPenaltyResult
|
||||
{
|
||||
/// <summary>
|
||||
/// Original confidence score (before penalties).
|
||||
/// </summary>
|
||||
[JsonPropertyName("originalConfidence")]
|
||||
public required double OriginalConfidence { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Adjusted confidence score (after penalties).
|
||||
/// </summary>
|
||||
[JsonPropertyName("adjustedConfidence")]
|
||||
public required double AdjustedConfidence { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Total penalty applied.
|
||||
/// </summary>
|
||||
[JsonPropertyName("totalPenalty")]
|
||||
public required double TotalPenalty { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Assumptions that contributed to the penalty.
|
||||
/// </summary>
|
||||
[JsonPropertyName("assumptions")]
|
||||
public ImmutableArray<ScoringAssumption> Assumptions { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Whether the penalty was capped.
|
||||
/// </summary>
|
||||
[JsonPropertyName("penaltyCapped")]
|
||||
public bool PenaltyCapped { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Calculator for assumption-based penalties.
|
||||
/// </summary>
|
||||
public sealed class AssumptionPenaltyCalculator
|
||||
{
|
||||
private readonly AssumptionPenaltyConfig _config;
|
||||
|
||||
public AssumptionPenaltyCalculator(AssumptionPenaltyConfig? config = null)
|
||||
{
|
||||
_config = config ?? new AssumptionPenaltyConfig();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Calculates the penalty result for a set of assumptions.
|
||||
/// </summary>
|
||||
public AssumptionPenaltyResult Calculate(
|
||||
double originalConfidence,
|
||||
IEnumerable<ScoringAssumption> assumptions)
|
||||
{
|
||||
var assumptionList = assumptions.ToImmutableArray();
|
||||
|
||||
if (assumptionList.Length == 0)
|
||||
{
|
||||
return new AssumptionPenaltyResult
|
||||
{
|
||||
OriginalConfidence = originalConfidence,
|
||||
AdjustedConfidence = originalConfidence,
|
||||
TotalPenalty = 0,
|
||||
Assumptions = [],
|
||||
PenaltyCapped = false
|
||||
};
|
||||
}
|
||||
|
||||
double adjustedConfidence;
|
||||
double totalPenalty;
|
||||
bool capped = false;
|
||||
|
||||
if (_config.CompoundPenalties)
|
||||
{
|
||||
// Compound: multiply (1 - penalty) factors
|
||||
var factor = 1.0;
|
||||
foreach (var assumption in assumptionList)
|
||||
{
|
||||
factor *= (1.0 - assumption.Penalty);
|
||||
}
|
||||
adjustedConfidence = originalConfidence * factor;
|
||||
totalPenalty = 1.0 - factor;
|
||||
}
|
||||
else
|
||||
{
|
||||
// Additive: sum penalties
|
||||
totalPenalty = assumptionList.Sum(a => a.Penalty);
|
||||
if (totalPenalty > _config.MaxTotalPenalty)
|
||||
{
|
||||
totalPenalty = _config.MaxTotalPenalty;
|
||||
capped = true;
|
||||
}
|
||||
adjustedConfidence = originalConfidence * (1.0 - totalPenalty);
|
||||
}
|
||||
|
||||
// Apply minimum confidence floor
|
||||
if (adjustedConfidence < _config.MinConfidence)
|
||||
{
|
||||
adjustedConfidence = _config.MinConfidence;
|
||||
capped = true;
|
||||
}
|
||||
|
||||
return new AssumptionPenaltyResult
|
||||
{
|
||||
OriginalConfidence = originalConfidence,
|
||||
AdjustedConfidence = adjustedConfidence,
|
||||
TotalPenalty = totalPenalty,
|
||||
Assumptions = assumptionList,
|
||||
PenaltyCapped = capped
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Creates a scoring assumption with default penalty.
|
||||
/// </summary>
|
||||
public ScoringAssumption CreateAssumption(
|
||||
AssumptionType type,
|
||||
string description,
|
||||
string? relatedId = null)
|
||||
{
|
||||
var penalty = _config.Penalties.TryGetValue(type, out var p)
|
||||
? p
|
||||
: AssumptionPenaltyConfig.DefaultPenalties.GetValueOrDefault(type, 0.05);
|
||||
|
||||
return new ScoringAssumption
|
||||
{
|
||||
Type = type,
|
||||
Description = description,
|
||||
Penalty = penalty,
|
||||
ResolutionHint = GetResolutionHint(type),
|
||||
RelatedId = relatedId
|
||||
};
|
||||
}
|
||||
|
||||
private static string GetResolutionHint(AssumptionType type) => type switch
|
||||
{
|
||||
AssumptionType.AssumedReachable =>
|
||||
"Run reachability analysis to determine actual code path",
|
||||
AssumptionType.AssumedVexStatus =>
|
||||
"Obtain signed VEX statement from vendor",
|
||||
AssumptionType.AssumedSbomComplete =>
|
||||
"Generate verified SBOM with attestation",
|
||||
AssumptionType.AssumedFeedCurrent =>
|
||||
"Update vulnerability feeds to latest version",
|
||||
AssumptionType.AssumedDefaultCvss =>
|
||||
"Obtain environment-specific CVSS vector",
|
||||
AssumptionType.AssumedPackageVersion =>
|
||||
"Verify exact package version from lockfile",
|
||||
AssumptionType.AssumedDeploymentContext =>
|
||||
"Provide runtime environment information",
|
||||
AssumptionType.AssumedTransitiveDep =>
|
||||
"Verify dependency chain with lockfile",
|
||||
AssumptionType.AssumedNoControls =>
|
||||
"Document compensating controls in policy",
|
||||
AssumptionType.AssumedExploitExists =>
|
||||
"Check exploit databases for PoC availability",
|
||||
_ => "Provide additional context to remove assumption"
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,394 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// ScoreAttestationStatement.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: D-SCORE-005 - DSSE-signed score attestation
|
||||
// Description: DSSE predicate for attesting to security scores.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Immutable;
|
||||
using System.Text.Json.Serialization;
|
||||
using StellaOps.Attestor.ProofChain.Statements;
|
||||
|
||||
namespace StellaOps.Policy.Scoring;
|
||||
|
||||
/// <summary>
|
||||
/// DSSE predicate type for score attestation.
|
||||
/// </summary>
|
||||
public static class ScoreAttestationPredicateType
|
||||
{
|
||||
/// <summary>
|
||||
/// Predicate type URI for score attestation.
|
||||
/// </summary>
|
||||
public const string PredicateType = "https://stellaops.io/attestation/score/v1";
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Score attestation statement (DSSE predicate payload).
|
||||
/// </summary>
|
||||
public sealed record ScoreAttestationStatement
|
||||
{
|
||||
/// <summary>
|
||||
/// Attestation version.
|
||||
/// </summary>
|
||||
[JsonPropertyName("version")]
|
||||
public string Version { get; init; } = "1.0.0";
|
||||
|
||||
/// <summary>
|
||||
/// When the score was computed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("scoredAt")]
|
||||
public required DateTimeOffset ScoredAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Subject artifact digest.
|
||||
/// </summary>
|
||||
[JsonPropertyName("subjectDigest")]
|
||||
public required string SubjectDigest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Subject artifact name/reference.
|
||||
/// </summary>
|
||||
[JsonPropertyName("subjectName")]
|
||||
public string? SubjectName { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Overall security score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("overallScore")]
|
||||
public required int OverallScore { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Score confidence (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("confidence")]
|
||||
public required double Confidence { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Score grade (A-F).
|
||||
/// </summary>
|
||||
[JsonPropertyName("grade")]
|
||||
public required string Grade { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Score breakdown by category.
|
||||
/// </summary>
|
||||
[JsonPropertyName("breakdown")]
|
||||
public required ScoreBreakdown Breakdown { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Scoring policy used.
|
||||
/// </summary>
|
||||
[JsonPropertyName("policy")]
|
||||
public required ScoringPolicyRef Policy { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Inputs used for scoring.
|
||||
/// </summary>
|
||||
[JsonPropertyName("inputs")]
|
||||
public required ScoringInputs Inputs { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Assumptions made during scoring.
|
||||
/// </summary>
|
||||
[JsonPropertyName("assumptions")]
|
||||
public ImmutableArray<AssumptionSummary> Assumptions { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Unknowns that affect the score.
|
||||
/// </summary>
|
||||
[JsonPropertyName("unknowns")]
|
||||
public ImmutableArray<UnknownSummary> Unknowns { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Hash of this statement for integrity.
|
||||
/// </summary>
|
||||
[JsonPropertyName("statementHash")]
|
||||
public string? StatementHash { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Score breakdown by category.
|
||||
/// </summary>
|
||||
public sealed record ScoreBreakdown
|
||||
{
|
||||
/// <summary>
|
||||
/// Vulnerability score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("vulnerability")]
|
||||
public required int Vulnerability { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Exploitability score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("exploitability")]
|
||||
public required int Exploitability { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Reachability score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("reachability")]
|
||||
public required int Reachability { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Policy compliance score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("compliance")]
|
||||
public required int Compliance { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Supply chain score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("supplyChain")]
|
||||
public required int SupplyChain { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// VEX/mitigation score (0-100).
|
||||
/// </summary>
|
||||
[JsonPropertyName("mitigation")]
|
||||
public required int Mitigation { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Reference to the scoring policy used.
|
||||
/// </summary>
|
||||
public sealed record ScoringPolicyRef
|
||||
{
|
||||
/// <summary>
|
||||
/// Policy identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Policy version.
|
||||
/// </summary>
|
||||
[JsonPropertyName("version")]
|
||||
public required string Version { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Policy digest.
|
||||
/// </summary>
|
||||
[JsonPropertyName("digest")]
|
||||
public required string Digest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Policy name.
|
||||
/// </summary>
|
||||
[JsonPropertyName("name")]
|
||||
public string? Name { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Inputs used for scoring.
|
||||
/// </summary>
|
||||
public sealed record ScoringInputs
|
||||
{
|
||||
/// <summary>
|
||||
/// SBOM digest.
|
||||
/// </summary>
|
||||
[JsonPropertyName("sbomDigest")]
|
||||
public string? SbomDigest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Vulnerability feed version.
|
||||
/// </summary>
|
||||
[JsonPropertyName("feedVersion")]
|
||||
public string? FeedVersion { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Feed fetch timestamp.
|
||||
/// </summary>
|
||||
[JsonPropertyName("feedFetchedAt")]
|
||||
public DateTimeOffset? FeedFetchedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Reachability analysis digest.
|
||||
/// </summary>
|
||||
[JsonPropertyName("reachabilityDigest")]
|
||||
public string? ReachabilityDigest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// VEX documents used.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vexDocuments")]
|
||||
public ImmutableArray<VexDocRef> VexDocuments { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Total components analyzed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("componentCount")]
|
||||
public int ComponentCount { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Total vulnerabilities found.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vulnerabilityCount")]
|
||||
public int VulnerabilityCount { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Total findings after filtering.
|
||||
/// </summary>
|
||||
[JsonPropertyName("findingCount")]
|
||||
public int FindingCount { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Reference to a VEX document.
|
||||
/// </summary>
|
||||
public sealed record VexDocRef
|
||||
{
|
||||
/// <summary>
|
||||
/// VEX document digest.
|
||||
/// </summary>
|
||||
[JsonPropertyName("digest")]
|
||||
public required string Digest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// VEX source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("source")]
|
||||
public required string Source { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Decisions applied from this document.
|
||||
/// </summary>
|
||||
[JsonPropertyName("decisionCount")]
|
||||
public int DecisionCount { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Summary of an assumption made.
|
||||
/// </summary>
|
||||
public sealed record AssumptionSummary
|
||||
{
|
||||
/// <summary>
|
||||
/// Assumption type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("type")]
|
||||
public required string Type { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Count of this assumption type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("count")]
|
||||
public required int Count { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Total penalty from this assumption type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("totalPenalty")]
|
||||
public required double TotalPenalty { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Summary of an unknown.
|
||||
/// </summary>
|
||||
public sealed record UnknownSummary
|
||||
{
|
||||
/// <summary>
|
||||
/// Unknown type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("type")]
|
||||
public required string Type { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Count of this unknown type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("count")]
|
||||
public required int Count { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Score impact from this unknown type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("scoreImpact")]
|
||||
public required int ScoreImpact { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Builder for score attestation statements.
|
||||
/// </summary>
|
||||
public sealed class ScoreAttestationBuilder
|
||||
{
|
||||
private readonly ScoreAttestationStatement _statement;
|
||||
|
||||
private ScoreAttestationBuilder(ScoreAttestationStatement statement)
|
||||
{
|
||||
_statement = statement;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Creates a new builder.
|
||||
/// </summary>
|
||||
public static ScoreAttestationBuilder Create(
|
||||
string subjectDigest,
|
||||
int overallScore,
|
||||
double confidence,
|
||||
ScoreBreakdown breakdown,
|
||||
ScoringPolicyRef policy,
|
||||
ScoringInputs inputs)
|
||||
{
|
||||
return new ScoreAttestationBuilder(new ScoreAttestationStatement
|
||||
{
|
||||
ScoredAt = DateTimeOffset.UtcNow,
|
||||
SubjectDigest = subjectDigest,
|
||||
OverallScore = overallScore,
|
||||
Confidence = confidence,
|
||||
Grade = ComputeGrade(overallScore),
|
||||
Breakdown = breakdown,
|
||||
Policy = policy,
|
||||
Inputs = inputs
|
||||
});
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Sets the subject name.
|
||||
/// </summary>
|
||||
public ScoreAttestationBuilder WithSubjectName(string name)
|
||||
{
|
||||
return new ScoreAttestationBuilder(_statement with { SubjectName = name });
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Adds assumptions.
|
||||
/// </summary>
|
||||
public ScoreAttestationBuilder WithAssumptions(IEnumerable<AssumptionSummary> assumptions)
|
||||
{
|
||||
return new ScoreAttestationBuilder(_statement with
|
||||
{
|
||||
Assumptions = assumptions.ToImmutableArray()
|
||||
});
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Adds unknowns.
|
||||
/// </summary>
|
||||
public ScoreAttestationBuilder WithUnknowns(IEnumerable<UnknownSummary> unknowns)
|
||||
{
|
||||
return new ScoreAttestationBuilder(_statement with
|
||||
{
|
||||
Unknowns = unknowns.ToImmutableArray()
|
||||
});
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Builds the statement.
|
||||
/// </summary>
|
||||
public ScoreAttestationStatement Build()
|
||||
{
|
||||
// Compute statement hash
|
||||
var canonical = StellaOps.Canonical.Json.CanonJson.Canonicalize(_statement);
|
||||
var hash = StellaOps.Canonical.Json.CanonJson.Sha256Prefixed(canonical);
|
||||
|
||||
return _statement with { StatementHash = hash };
|
||||
}
|
||||
|
||||
private static string ComputeGrade(int score) => score switch
|
||||
{
|
||||
>= 90 => "A",
|
||||
>= 80 => "B",
|
||||
>= 70 => "C",
|
||||
>= 60 => "D",
|
||||
_ => "F"
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,477 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// ScoringRulesSnapshot.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: E-OFF-003 - Scoring rules snapshot with digest
|
||||
// Description: Immutable snapshot of scoring rules for offline/audit use.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Immutable;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Policy.Scoring;
|
||||
|
||||
/// <summary>
|
||||
/// Immutable snapshot of scoring rules with cryptographic digest.
|
||||
/// Used for offline operation and audit trail.
|
||||
/// </summary>
|
||||
public sealed record ScoringRulesSnapshot
|
||||
{
|
||||
/// <summary>
|
||||
/// Snapshot identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Snapshot version.
|
||||
/// </summary>
|
||||
[JsonPropertyName("version")]
|
||||
public required int Version { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// When the snapshot was created.
|
||||
/// </summary>
|
||||
[JsonPropertyName("createdAt")]
|
||||
public required DateTimeOffset CreatedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Content digest of the snapshot (sha256:...).
|
||||
/// </summary>
|
||||
[JsonPropertyName("digest")]
|
||||
public required string Digest { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Description of this snapshot.
|
||||
/// </summary>
|
||||
[JsonPropertyName("description")]
|
||||
public string? Description { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Source policy IDs that contributed to this snapshot.
|
||||
/// </summary>
|
||||
[JsonPropertyName("sourcePolicies")]
|
||||
public ImmutableArray<string> SourcePolicies { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Scoring weights configuration.
|
||||
/// </summary>
|
||||
[JsonPropertyName("weights")]
|
||||
public required ScoringWeights Weights { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Thresholds for grade boundaries.
|
||||
/// </summary>
|
||||
[JsonPropertyName("thresholds")]
|
||||
public required GradeThresholds Thresholds { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Severity multipliers.
|
||||
/// </summary>
|
||||
[JsonPropertyName("severityMultipliers")]
|
||||
public required SeverityMultipliers SeverityMultipliers { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Assumption penalty configuration.
|
||||
/// </summary>
|
||||
[JsonPropertyName("assumptionPenalties")]
|
||||
public required AssumptionPenaltyConfig AssumptionPenalties { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Trust source weights.
|
||||
/// </summary>
|
||||
[JsonPropertyName("trustSourceWeights")]
|
||||
public required TrustSourceWeightConfig TrustSourceWeights { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Freshness decay configuration.
|
||||
/// </summary>
|
||||
[JsonPropertyName("freshnessDecay")]
|
||||
public required FreshnessDecayConfig FreshnessDecay { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Custom rules (Rego/SPL).
|
||||
/// </summary>
|
||||
[JsonPropertyName("customRules")]
|
||||
public ImmutableArray<CustomScoringRule> CustomRules { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Whether this snapshot is signed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isSigned")]
|
||||
public bool IsSigned { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Signature if signed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("signature")]
|
||||
public string? Signature { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Key ID used for signing.
|
||||
/// </summary>
|
||||
[JsonPropertyName("signingKeyId")]
|
||||
public string? SigningKeyId { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Scoring category weights (must sum to 1.0).
|
||||
/// </summary>
|
||||
public sealed record ScoringWeights
|
||||
{
|
||||
/// <summary>
|
||||
/// Weight for vulnerability severity (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("vulnerability")]
|
||||
public double Vulnerability { get; init; } = 0.25;
|
||||
|
||||
/// <summary>
|
||||
/// Weight for exploitability factors (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("exploitability")]
|
||||
public double Exploitability { get; init; } = 0.20;
|
||||
|
||||
/// <summary>
|
||||
/// Weight for reachability analysis (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("reachability")]
|
||||
public double Reachability { get; init; } = 0.20;
|
||||
|
||||
/// <summary>
|
||||
/// Weight for policy compliance (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("compliance")]
|
||||
public double Compliance { get; init; } = 0.15;
|
||||
|
||||
/// <summary>
|
||||
/// Weight for supply chain factors (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("supplyChain")]
|
||||
public double SupplyChain { get; init; } = 0.10;
|
||||
|
||||
/// <summary>
|
||||
/// Weight for mitigation/VEX status (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("mitigation")]
|
||||
public double Mitigation { get; init; } = 0.10;
|
||||
|
||||
/// <summary>
|
||||
/// Validates that weights sum to 1.0.
|
||||
/// </summary>
|
||||
public bool Validate()
|
||||
{
|
||||
var sum = Vulnerability + Exploitability + Reachability +
|
||||
Compliance + SupplyChain + Mitigation;
|
||||
return Math.Abs(sum - 1.0) < 0.001;
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Grade threshold configuration.
|
||||
/// </summary>
|
||||
public sealed record GradeThresholds
|
||||
{
|
||||
/// <summary>
|
||||
/// Minimum score for grade A.
|
||||
/// </summary>
|
||||
[JsonPropertyName("a")]
|
||||
public int A { get; init; } = 90;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum score for grade B.
|
||||
/// </summary>
|
||||
[JsonPropertyName("b")]
|
||||
public int B { get; init; } = 80;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum score for grade C.
|
||||
/// </summary>
|
||||
[JsonPropertyName("c")]
|
||||
public int C { get; init; } = 70;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum score for grade D.
|
||||
/// </summary>
|
||||
[JsonPropertyName("d")]
|
||||
public int D { get; init; } = 60;
|
||||
|
||||
// Below D threshold is grade F
|
||||
|
||||
/// <summary>
|
||||
/// Gets the grade for a score.
|
||||
/// </summary>
|
||||
public string GetGrade(int score) => score switch
|
||||
{
|
||||
_ when score >= A => "A",
|
||||
_ when score >= B => "B",
|
||||
_ when score >= C => "C",
|
||||
_ when score >= D => "D",
|
||||
_ => "F"
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Severity multipliers for scoring.
|
||||
/// </summary>
|
||||
public sealed record SeverityMultipliers
|
||||
{
|
||||
/// <summary>
|
||||
/// Multiplier for critical severity.
|
||||
/// </summary>
|
||||
[JsonPropertyName("critical")]
|
||||
public double Critical { get; init; } = 1.5;
|
||||
|
||||
/// <summary>
|
||||
/// Multiplier for high severity.
|
||||
/// </summary>
|
||||
[JsonPropertyName("high")]
|
||||
public double High { get; init; } = 1.2;
|
||||
|
||||
/// <summary>
|
||||
/// Multiplier for medium severity.
|
||||
/// </summary>
|
||||
[JsonPropertyName("medium")]
|
||||
public double Medium { get; init; } = 1.0;
|
||||
|
||||
/// <summary>
|
||||
/// Multiplier for low severity.
|
||||
/// </summary>
|
||||
[JsonPropertyName("low")]
|
||||
public double Low { get; init; } = 0.8;
|
||||
|
||||
/// <summary>
|
||||
/// Multiplier for informational.
|
||||
/// </summary>
|
||||
[JsonPropertyName("informational")]
|
||||
public double Informational { get; init; } = 0.5;
|
||||
|
||||
/// <summary>
|
||||
/// Gets multiplier for a severity string.
|
||||
/// </summary>
|
||||
public double GetMultiplier(string severity) => severity?.ToUpperInvariant() switch
|
||||
{
|
||||
"CRITICAL" => Critical,
|
||||
"HIGH" => High,
|
||||
"MEDIUM" => Medium,
|
||||
"LOW" => Low,
|
||||
"INFORMATIONAL" or "INFO" => Informational,
|
||||
_ => Medium
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Freshness decay configuration.
|
||||
/// </summary>
|
||||
public sealed record FreshnessDecayConfig
|
||||
{
|
||||
/// <summary>
|
||||
/// Hours after which SBOM starts to decay.
|
||||
/// </summary>
|
||||
[JsonPropertyName("sbomDecayStartHours")]
|
||||
public int SbomDecayStartHours { get; init; } = 168; // 7 days
|
||||
|
||||
/// <summary>
|
||||
/// Hours after which feeds start to decay.
|
||||
/// </summary>
|
||||
[JsonPropertyName("feedDecayStartHours")]
|
||||
public int FeedDecayStartHours { get; init; } = 24;
|
||||
|
||||
/// <summary>
|
||||
/// Decay rate per hour after start.
|
||||
/// </summary>
|
||||
[JsonPropertyName("decayRatePerHour")]
|
||||
public double DecayRatePerHour { get; init; } = 0.001;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum freshness score.
|
||||
/// </summary>
|
||||
[JsonPropertyName("minimumFreshness")]
|
||||
public double MinimumFreshness { get; init; } = 0.5;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Custom scoring rule.
|
||||
/// </summary>
|
||||
public sealed record CustomScoringRule
|
||||
{
|
||||
/// <summary>
|
||||
/// Rule identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Rule name.
|
||||
/// </summary>
|
||||
[JsonPropertyName("name")]
|
||||
public required string Name { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Rule language (rego, spl).
|
||||
/// </summary>
|
||||
[JsonPropertyName("language")]
|
||||
public required string Language { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Rule content.
|
||||
/// </summary>
|
||||
[JsonPropertyName("content")]
|
||||
public required string Content { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Rule priority (higher = evaluated first).
|
||||
/// </summary>
|
||||
[JsonPropertyName("priority")]
|
||||
public int Priority { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether rule is enabled.
|
||||
/// </summary>
|
||||
[JsonPropertyName("enabled")]
|
||||
public bool Enabled { get; init; } = true;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Builder for scoring rules snapshots.
|
||||
/// </summary>
|
||||
public sealed class ScoringRulesSnapshotBuilder
|
||||
{
|
||||
private ScoringRulesSnapshot _snapshot;
|
||||
|
||||
private ScoringRulesSnapshotBuilder(ScoringRulesSnapshot snapshot)
|
||||
{
|
||||
_snapshot = snapshot;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Creates a new builder with defaults.
|
||||
/// </summary>
|
||||
public static ScoringRulesSnapshotBuilder Create(string id, int version)
|
||||
{
|
||||
return new ScoringRulesSnapshotBuilder(new ScoringRulesSnapshot
|
||||
{
|
||||
Id = id,
|
||||
Version = version,
|
||||
CreatedAt = DateTimeOffset.UtcNow,
|
||||
Digest = "", // Will be computed on build
|
||||
Weights = new ScoringWeights(),
|
||||
Thresholds = new GradeThresholds(),
|
||||
SeverityMultipliers = new SeverityMultipliers(),
|
||||
AssumptionPenalties = new AssumptionPenaltyConfig(),
|
||||
TrustSourceWeights = new TrustSourceWeightConfig(),
|
||||
FreshnessDecay = new FreshnessDecayConfig()
|
||||
});
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithDescription(string description)
|
||||
{
|
||||
_snapshot = _snapshot with { Description = description };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithWeights(ScoringWeights weights)
|
||||
{
|
||||
_snapshot = _snapshot with { Weights = weights };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithThresholds(GradeThresholds thresholds)
|
||||
{
|
||||
_snapshot = _snapshot with { Thresholds = thresholds };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithSeverityMultipliers(SeverityMultipliers multipliers)
|
||||
{
|
||||
_snapshot = _snapshot with { SeverityMultipliers = multipliers };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithAssumptionPenalties(AssumptionPenaltyConfig penalties)
|
||||
{
|
||||
_snapshot = _snapshot with { AssumptionPenalties = penalties };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithTrustSourceWeights(TrustSourceWeightConfig weights)
|
||||
{
|
||||
_snapshot = _snapshot with { TrustSourceWeights = weights };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithFreshnessDecay(FreshnessDecayConfig decay)
|
||||
{
|
||||
_snapshot = _snapshot with { FreshnessDecay = decay };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithCustomRules(IEnumerable<CustomScoringRule> rules)
|
||||
{
|
||||
_snapshot = _snapshot with { CustomRules = rules.ToImmutableArray() };
|
||||
return this;
|
||||
}
|
||||
|
||||
public ScoringRulesSnapshotBuilder WithSourcePolicies(IEnumerable<string> policyIds)
|
||||
{
|
||||
_snapshot = _snapshot with { SourcePolicies = policyIds.ToImmutableArray() };
|
||||
return this;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Builds the snapshot with computed digest.
|
||||
/// </summary>
|
||||
public ScoringRulesSnapshot Build()
|
||||
{
|
||||
// Validate weights
|
||||
if (!_snapshot.Weights.Validate())
|
||||
{
|
||||
throw new InvalidOperationException("Scoring weights must sum to 1.0");
|
||||
}
|
||||
|
||||
// Compute digest
|
||||
var canonical = StellaOps.Canonical.Json.CanonJson.Canonicalize(_snapshot with { Digest = "" });
|
||||
var digest = StellaOps.Canonical.Json.CanonJson.Sha256Prefixed(canonical);
|
||||
|
||||
return _snapshot with { Digest = digest };
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Service for managing scoring rules snapshots.
|
||||
/// </summary>
|
||||
public interface IScoringRulesSnapshotService
|
||||
{
|
||||
/// <summary>
|
||||
/// Creates a new snapshot from current rules.
|
||||
/// </summary>
|
||||
Task<ScoringRulesSnapshot> CreateSnapshotAsync(
|
||||
string description,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Gets a snapshot by ID.
|
||||
/// </summary>
|
||||
Task<ScoringRulesSnapshot?> GetSnapshotAsync(
|
||||
string id,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Gets the latest snapshot.
|
||||
/// </summary>
|
||||
Task<ScoringRulesSnapshot?> GetLatestSnapshotAsync(
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Validates a snapshot against its digest.
|
||||
/// </summary>
|
||||
Task<bool> ValidateSnapshotAsync(
|
||||
ScoringRulesSnapshot snapshot,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Lists all snapshots.
|
||||
/// </summary>
|
||||
Task<IReadOnlyList<ScoringRulesSnapshot>> ListSnapshotsAsync(
|
||||
int limit = 100,
|
||||
CancellationToken ct = default);
|
||||
}
|
||||
@@ -0,0 +1,412 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// TrustSourceWeights.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: D-SCORE-003 - Configurable trust source weights
|
||||
// Description: Configurable weights for different vulnerability data sources.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Linq;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Policy.Scoring;
|
||||
|
||||
/// <summary>
|
||||
/// Known vulnerability data sources.
|
||||
/// </summary>
|
||||
public static class KnownSources
|
||||
{
|
||||
public const string NvdNist = "nvd-nist";
|
||||
public const string CisaKev = "cisa-kev";
|
||||
public const string Osv = "osv";
|
||||
public const string GithubAdvisory = "github-advisory";
|
||||
public const string VendorAdvisory = "vendor";
|
||||
public const string RedHatCve = "redhat-cve";
|
||||
public const string DebianSecurity = "debian-security";
|
||||
public const string AlpineSecdb = "alpine-secdb";
|
||||
public const string UbuntuOval = "ubuntu-oval";
|
||||
public const string Epss = "epss";
|
||||
public const string ExploitDb = "exploit-db";
|
||||
public const string VulnDb = "vulndb";
|
||||
public const string Snyk = "snyk";
|
||||
public const string Internal = "internal";
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Configuration for trust source weights.
|
||||
/// </summary>
|
||||
public sealed record TrustSourceWeightConfig
|
||||
{
|
||||
/// <summary>
|
||||
/// Weights by source ID (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("weights")]
|
||||
public ImmutableDictionary<string, double> Weights { get; init; } =
|
||||
DefaultWeights;
|
||||
|
||||
/// <summary>
|
||||
/// Default weight for unknown sources.
|
||||
/// </summary>
|
||||
[JsonPropertyName("defaultWeight")]
|
||||
public double DefaultWeight { get; init; } = 0.5;
|
||||
|
||||
/// <summary>
|
||||
/// Source categories and their base weights.
|
||||
/// </summary>
|
||||
[JsonPropertyName("categoryWeights")]
|
||||
public ImmutableDictionary<SourceCategory, double> CategoryWeights { get; init; } =
|
||||
DefaultCategoryWeights;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to boost sources with corroborating data.
|
||||
/// </summary>
|
||||
[JsonPropertyName("enableCorroborationBoost")]
|
||||
public bool EnableCorroborationBoost { get; init; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Boost multiplier when multiple sources agree.
|
||||
/// </summary>
|
||||
[JsonPropertyName("corroborationBoostFactor")]
|
||||
public double CorroborationBoostFactor { get; init; } = 1.1;
|
||||
|
||||
/// <summary>
|
||||
/// Maximum number of corroborating sources to count.
|
||||
/// </summary>
|
||||
[JsonPropertyName("maxCorroborationCount")]
|
||||
public int MaxCorroborationCount { get; init; } = 3;
|
||||
|
||||
/// <summary>
|
||||
/// Default source weights.
|
||||
/// </summary>
|
||||
public static readonly ImmutableDictionary<string, double> DefaultWeights =
|
||||
new Dictionary<string, double>
|
||||
{
|
||||
[KnownSources.NvdNist] = 0.90,
|
||||
[KnownSources.CisaKev] = 0.98,
|
||||
[KnownSources.Osv] = 0.75,
|
||||
[KnownSources.GithubAdvisory] = 0.72,
|
||||
[KnownSources.VendorAdvisory] = 0.88,
|
||||
[KnownSources.RedHatCve] = 0.85,
|
||||
[KnownSources.DebianSecurity] = 0.82,
|
||||
[KnownSources.AlpineSecdb] = 0.80,
|
||||
[KnownSources.UbuntuOval] = 0.82,
|
||||
[KnownSources.Epss] = 0.70,
|
||||
[KnownSources.ExploitDb] = 0.65,
|
||||
[KnownSources.VulnDb] = 0.68,
|
||||
[KnownSources.Snyk] = 0.70,
|
||||
[KnownSources.Internal] = 0.60
|
||||
}.ToImmutableDictionary();
|
||||
|
||||
/// <summary>
|
||||
/// Default category weights.
|
||||
/// </summary>
|
||||
public static readonly ImmutableDictionary<SourceCategory, double> DefaultCategoryWeights =
|
||||
new Dictionary<SourceCategory, double>
|
||||
{
|
||||
[SourceCategory.Government] = 0.95,
|
||||
[SourceCategory.Vendor] = 0.85,
|
||||
[SourceCategory.Coordinator] = 0.80,
|
||||
[SourceCategory.Distro] = 0.82,
|
||||
[SourceCategory.Community] = 0.70,
|
||||
[SourceCategory.Commercial] = 0.68,
|
||||
[SourceCategory.Internal] = 0.60
|
||||
}.ToImmutableDictionary();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Source categories.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum SourceCategory
|
||||
{
|
||||
/// <summary>Government agency (NIST, CISA, BSI).</summary>
|
||||
Government,
|
||||
|
||||
/// <summary>Software vendor.</summary>
|
||||
Vendor,
|
||||
|
||||
/// <summary>Vulnerability coordinator (CERT).</summary>
|
||||
Coordinator,
|
||||
|
||||
/// <summary>Linux distribution security team.</summary>
|
||||
Distro,
|
||||
|
||||
/// <summary>Open source community.</summary>
|
||||
Community,
|
||||
|
||||
/// <summary>Commercial security vendor.</summary>
|
||||
Commercial,
|
||||
|
||||
/// <summary>Internal organization sources.</summary>
|
||||
Internal
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Metadata about a vulnerability source.
|
||||
/// </summary>
|
||||
public sealed record SourceMetadata
|
||||
{
|
||||
/// <summary>
|
||||
/// Source identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Source category.
|
||||
/// </summary>
|
||||
[JsonPropertyName("category")]
|
||||
public required SourceCategory Category { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// When data was fetched from this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("fetchedAt")]
|
||||
public DateTimeOffset? FetchedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Source data version/timestamp.
|
||||
/// </summary>
|
||||
[JsonPropertyName("dataVersion")]
|
||||
public string? DataVersion { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether data is signed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isSigned")]
|
||||
public bool IsSigned { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Finding data from a source.
|
||||
/// </summary>
|
||||
public sealed record SourceFinding
|
||||
{
|
||||
/// <summary>
|
||||
/// Source metadata.
|
||||
/// </summary>
|
||||
[JsonPropertyName("source")]
|
||||
public required SourceMetadata Source { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Severity from this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("severity")]
|
||||
public string? Severity { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// CVSS score from this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("cvssScore")]
|
||||
public double? CvssScore { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// VEX status from this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vexStatus")]
|
||||
public string? VexStatus { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether this source confirms exploitability.
|
||||
/// </summary>
|
||||
[JsonPropertyName("confirmsExploit")]
|
||||
public bool? ConfirmsExploit { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Fix version from this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("fixVersion")]
|
||||
public string? FixVersion { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Result of merging findings from multiple sources.
|
||||
/// </summary>
|
||||
public sealed record WeightedMergeResult
|
||||
{
|
||||
/// <summary>
|
||||
/// Merged severity (highest trust source).
|
||||
/// </summary>
|
||||
[JsonPropertyName("severity")]
|
||||
public string? Severity { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Weighted average CVSS score.
|
||||
/// </summary>
|
||||
[JsonPropertyName("cvssScore")]
|
||||
public double? CvssScore { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// VEX status from highest trust source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vexStatus")]
|
||||
public string? VexStatus { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Fix version (earliest reported).
|
||||
/// </summary>
|
||||
[JsonPropertyName("fixVersion")]
|
||||
public string? FixVersion { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Overall confidence in the merged result.
|
||||
/// </summary>
|
||||
[JsonPropertyName("confidence")]
|
||||
public required double Confidence { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Sources that contributed (ordered by weight).
|
||||
/// </summary>
|
||||
[JsonPropertyName("contributingSources")]
|
||||
public ImmutableArray<string> ContributingSources { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Whether sources corroborated each other.
|
||||
/// </summary>
|
||||
[JsonPropertyName("corroborated")]
|
||||
public bool Corroborated { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Corroboration boost applied.
|
||||
/// </summary>
|
||||
[JsonPropertyName("corroborationBoost")]
|
||||
public double CorroborationBoost { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Service for weighted source merging.
|
||||
/// </summary>
|
||||
public sealed class TrustSourceWeightService
|
||||
{
|
||||
private readonly TrustSourceWeightConfig _config;
|
||||
|
||||
public TrustSourceWeightService(TrustSourceWeightConfig? config = null)
|
||||
{
|
||||
_config = config ?? new TrustSourceWeightConfig();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Gets the effective weight for a source.
|
||||
/// </summary>
|
||||
public double GetSourceWeight(SourceMetadata source)
|
||||
{
|
||||
// Check for explicit weight
|
||||
if (_config.Weights.TryGetValue(source.Id, out var explicitWeight))
|
||||
{
|
||||
return ApplyModifiers(explicitWeight, source);
|
||||
}
|
||||
|
||||
// Fall back to category weight
|
||||
if (_config.CategoryWeights.TryGetValue(source.Category, out var categoryWeight))
|
||||
{
|
||||
return ApplyModifiers(categoryWeight, source);
|
||||
}
|
||||
|
||||
return ApplyModifiers(_config.DefaultWeight, source);
|
||||
}
|
||||
|
||||
private double ApplyModifiers(double baseWeight, SourceMetadata source)
|
||||
{
|
||||
var weight = baseWeight;
|
||||
|
||||
// Boost for signed data
|
||||
if (source.IsSigned)
|
||||
{
|
||||
weight *= 1.05;
|
||||
}
|
||||
|
||||
// Penalty for stale data (>7 days old)
|
||||
if (source.FetchedAt.HasValue)
|
||||
{
|
||||
var age = DateTimeOffset.UtcNow - source.FetchedAt.Value;
|
||||
if (age.TotalDays > 7)
|
||||
{
|
||||
weight *= 0.95;
|
||||
}
|
||||
if (age.TotalDays > 30)
|
||||
{
|
||||
weight *= 0.90;
|
||||
}
|
||||
}
|
||||
|
||||
return Math.Clamp(weight, 0.0, 1.0);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Merges findings from multiple sources using weights.
|
||||
/// </summary>
|
||||
public WeightedMergeResult MergeFindings(IEnumerable<SourceFinding> findings)
|
||||
{
|
||||
var findingList = findings.ToList();
|
||||
if (findingList.Count == 0)
|
||||
{
|
||||
return new WeightedMergeResult { Confidence = 0 };
|
||||
}
|
||||
|
||||
// Sort by weight descending
|
||||
var weighted = findingList
|
||||
.Select(f => (Finding: f, Weight: GetSourceWeight(f.Source)))
|
||||
.OrderByDescending(x => x.Weight)
|
||||
.ToList();
|
||||
|
||||
var topFinding = weighted[0].Finding;
|
||||
var topWeight = weighted[0].Weight;
|
||||
|
||||
// Calculate weighted CVSS
|
||||
double? weightedCvss = null;
|
||||
var cvssFindings = weighted.Where(w => w.Finding.CvssScore.HasValue).ToList();
|
||||
if (cvssFindings.Count > 0)
|
||||
{
|
||||
var totalWeight = cvssFindings.Sum(w => w.Weight);
|
||||
weightedCvss = cvssFindings.Sum(w => w.Finding.CvssScore!.Value * w.Weight) / totalWeight;
|
||||
}
|
||||
|
||||
// Check for corroboration
|
||||
var corroborated = false;
|
||||
var corroborationBoost = 0.0;
|
||||
|
||||
if (_config.EnableCorroborationBoost && weighted.Count > 1)
|
||||
{
|
||||
// Check if multiple sources agree on severity
|
||||
var severities = weighted
|
||||
.Where(w => !string.IsNullOrEmpty(w.Finding.Severity))
|
||||
.Select(w => w.Finding.Severity)
|
||||
.Distinct()
|
||||
.ToList();
|
||||
|
||||
if (severities.Count == 1)
|
||||
{
|
||||
var corroboratingCount = Math.Min(
|
||||
weighted.Count(w => w.Finding.Severity == severities[0]),
|
||||
_config.MaxCorroborationCount);
|
||||
|
||||
if (corroboratingCount > 1)
|
||||
{
|
||||
corroborated = true;
|
||||
corroborationBoost = Math.Pow(
|
||||
_config.CorroborationBoostFactor,
|
||||
corroboratingCount - 1) - 1.0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var confidence = Math.Clamp(topWeight + corroborationBoost, 0.0, 1.0);
|
||||
|
||||
return new WeightedMergeResult
|
||||
{
|
||||
Severity = topFinding.Severity,
|
||||
CvssScore = weightedCvss,
|
||||
VexStatus = topFinding.VexStatus,
|
||||
FixVersion = findingList
|
||||
.Where(f => !string.IsNullOrEmpty(f.FixVersion))
|
||||
.OrderBy(f => f.FixVersion)
|
||||
.FirstOrDefault()?.FixVersion,
|
||||
Confidence = confidence,
|
||||
ContributingSources = weighted.Select(w => w.Finding.Source.Id).ToImmutableArray(),
|
||||
Corroborated = corroborated,
|
||||
CorroborationBoost = corroborationBoost
|
||||
};
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,429 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// JurisdictionTrustRules.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: VEX-L-003 - Jurisdiction-specific trust rules (US/EU/RU/CN)
|
||||
// Description: VEX source trust rules by regulatory jurisdiction.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Linq;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Policy.Vex;
|
||||
|
||||
/// <summary>
|
||||
/// Jurisdiction codes for regulatory regions.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum Jurisdiction
|
||||
{
|
||||
/// <summary>United States (FDA, NIST, CISA).</summary>
|
||||
US,
|
||||
|
||||
/// <summary>European Union (ENISA, BSI, ANSSI).</summary>
|
||||
EU,
|
||||
|
||||
/// <summary>Russian Federation (FSTEC, FSB).</summary>
|
||||
RU,
|
||||
|
||||
/// <summary>China (CNVD, CNNVD).</summary>
|
||||
CN,
|
||||
|
||||
/// <summary>Japan (JPCERT, IPA).</summary>
|
||||
JP,
|
||||
|
||||
/// <summary>Global (no specific jurisdiction).</summary>
|
||||
Global
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// VEX source identity.
|
||||
/// </summary>
|
||||
public sealed record VexSource
|
||||
{
|
||||
/// <summary>
|
||||
/// Unique source identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Human-readable source name.
|
||||
/// </summary>
|
||||
[JsonPropertyName("name")]
|
||||
public required string Name { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Source type (vendor, coordinator, government, community).
|
||||
/// </summary>
|
||||
[JsonPropertyName("type")]
|
||||
public required VexSourceType Type { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Jurisdictions where this source is authoritative.
|
||||
/// </summary>
|
||||
[JsonPropertyName("jurisdictions")]
|
||||
public ImmutableArray<Jurisdiction> Jurisdictions { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Base trust weight (0.0 to 1.0).
|
||||
/// </summary>
|
||||
[JsonPropertyName("baseTrustWeight")]
|
||||
public double BaseTrustWeight { get; init; } = 0.5;
|
||||
|
||||
/// <summary>
|
||||
/// Whether this source is a government authority.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isGovernmentAuthority")]
|
||||
public bool IsGovernmentAuthority { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Signing key identifiers for this source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("keyIds")]
|
||||
public ImmutableArray<string> KeyIds { get; init; } = [];
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// VEX source types.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum VexSourceType
|
||||
{
|
||||
/// <summary>Product vendor.</summary>
|
||||
Vendor,
|
||||
|
||||
/// <summary>Vulnerability coordinator (CERT).</summary>
|
||||
Coordinator,
|
||||
|
||||
/// <summary>Government authority.</summary>
|
||||
Government,
|
||||
|
||||
/// <summary>Community/open source.</summary>
|
||||
Community,
|
||||
|
||||
/// <summary>Commercial security vendor.</summary>
|
||||
Commercial
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Jurisdiction-specific trust configuration.
|
||||
/// </summary>
|
||||
public sealed record JurisdictionTrustConfig
|
||||
{
|
||||
/// <summary>
|
||||
/// Jurisdiction this config applies to.
|
||||
/// </summary>
|
||||
[JsonPropertyName("jurisdiction")]
|
||||
public required Jurisdiction Jurisdiction { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Ordered list of preferred sources (highest priority first).
|
||||
/// </summary>
|
||||
[JsonPropertyName("preferredSources")]
|
||||
public ImmutableArray<string> PreferredSources { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Trust weight overrides for specific sources.
|
||||
/// </summary>
|
||||
[JsonPropertyName("trustWeightOverrides")]
|
||||
public ImmutableDictionary<string, double> TrustWeightOverrides { get; init; } =
|
||||
ImmutableDictionary<string, double>.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Whether government sources must be preferred.
|
||||
/// </summary>
|
||||
[JsonPropertyName("preferGovernmentSources")]
|
||||
public bool PreferGovernmentSources { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Minimum trust weight for acceptance.
|
||||
/// </summary>
|
||||
[JsonPropertyName("minimumTrustWeight")]
|
||||
public double MinimumTrustWeight { get; init; } = 0.3;
|
||||
|
||||
/// <summary>
|
||||
/// Required source types for VEX acceptance.
|
||||
/// </summary>
|
||||
[JsonPropertyName("requiredSourceTypes")]
|
||||
public ImmutableArray<VexSourceType> RequiredSourceTypes { get; init; } = [];
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Service for jurisdiction-aware VEX trust evaluation.
|
||||
/// </summary>
|
||||
public interface IJurisdictionTrustService
|
||||
{
|
||||
/// <summary>
|
||||
/// Gets the effective trust weight for a source in a jurisdiction.
|
||||
/// </summary>
|
||||
double GetEffectiveTrustWeight(VexSource source, Jurisdiction jurisdiction);
|
||||
|
||||
/// <summary>
|
||||
/// Ranks sources by trust for a jurisdiction.
|
||||
/// </summary>
|
||||
IReadOnlyList<VexSource> RankSourcesByTrust(
|
||||
IEnumerable<VexSource> sources,
|
||||
Jurisdiction jurisdiction);
|
||||
|
||||
/// <summary>
|
||||
/// Validates that a VEX decision meets jurisdiction requirements.
|
||||
/// </summary>
|
||||
JurisdictionValidationResult ValidateForJurisdiction(
|
||||
VexDecisionContext decision,
|
||||
Jurisdiction jurisdiction);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Context for a VEX decision being validated.
|
||||
/// </summary>
|
||||
public sealed record VexDecisionContext
|
||||
{
|
||||
/// <summary>
|
||||
/// VEX status.
|
||||
/// </summary>
|
||||
[JsonPropertyName("status")]
|
||||
public required string Status { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Source that provided this decision.
|
||||
/// </summary>
|
||||
[JsonPropertyName("source")]
|
||||
public required VexSource Source { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Justification provided.
|
||||
/// </summary>
|
||||
[JsonPropertyName("justification")]
|
||||
public string? Justification { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// When the decision was made.
|
||||
/// </summary>
|
||||
[JsonPropertyName("timestamp")]
|
||||
public required DateTimeOffset Timestamp { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether the decision is cryptographically signed.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isSigned")]
|
||||
public bool IsSigned { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Result of jurisdiction validation.
|
||||
/// </summary>
|
||||
public sealed record JurisdictionValidationResult
|
||||
{
|
||||
/// <summary>
|
||||
/// Whether the decision is valid for the jurisdiction.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isValid")]
|
||||
public required bool IsValid { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Effective trust weight.
|
||||
/// </summary>
|
||||
[JsonPropertyName("effectiveTrustWeight")]
|
||||
public required double EffectiveTrustWeight { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Validation issues.
|
||||
/// </summary>
|
||||
[JsonPropertyName("issues")]
|
||||
public ImmutableArray<string> Issues { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Suggested actions to improve trust.
|
||||
/// </summary>
|
||||
[JsonPropertyName("suggestions")]
|
||||
public ImmutableArray<string> Suggestions { get; init; } = [];
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Default implementation of jurisdiction trust service.
|
||||
/// </summary>
|
||||
public sealed class JurisdictionTrustService : IJurisdictionTrustService
|
||||
{
|
||||
private readonly IReadOnlyDictionary<Jurisdiction, JurisdictionTrustConfig> _configs;
|
||||
|
||||
/// <summary>
|
||||
/// Default jurisdiction configurations.
|
||||
/// </summary>
|
||||
public static readonly ImmutableDictionary<Jurisdiction, JurisdictionTrustConfig> DefaultConfigs =
|
||||
new Dictionary<Jurisdiction, JurisdictionTrustConfig>
|
||||
{
|
||||
[Jurisdiction.US] = new()
|
||||
{
|
||||
Jurisdiction = Jurisdiction.US,
|
||||
PreferredSources = ["nist-nvd", "cisa-kev", "fda-medical", "vendor"],
|
||||
PreferGovernmentSources = true,
|
||||
MinimumTrustWeight = 0.4,
|
||||
TrustWeightOverrides = new Dictionary<string, double>
|
||||
{
|
||||
["nist-nvd"] = 0.95,
|
||||
["cisa-kev"] = 0.98,
|
||||
["vendor"] = 0.85
|
||||
}.ToImmutableDictionary()
|
||||
},
|
||||
[Jurisdiction.EU] = new()
|
||||
{
|
||||
Jurisdiction = Jurisdiction.EU,
|
||||
PreferredSources = ["enisa", "bsi", "anssi", "cert-eu", "vendor"],
|
||||
PreferGovernmentSources = true,
|
||||
MinimumTrustWeight = 0.4,
|
||||
TrustWeightOverrides = new Dictionary<string, double>
|
||||
{
|
||||
["enisa"] = 0.95,
|
||||
["bsi"] = 0.92,
|
||||
["anssi"] = 0.92,
|
||||
["vendor"] = 0.85
|
||||
}.ToImmutableDictionary()
|
||||
},
|
||||
[Jurisdiction.RU] = new()
|
||||
{
|
||||
Jurisdiction = Jurisdiction.RU,
|
||||
PreferredSources = ["fstec", "fsb-cert", "vendor"],
|
||||
PreferGovernmentSources = true,
|
||||
MinimumTrustWeight = 0.5,
|
||||
TrustWeightOverrides = new Dictionary<string, double>
|
||||
{
|
||||
["fstec"] = 0.98,
|
||||
["vendor"] = 0.80
|
||||
}.ToImmutableDictionary()
|
||||
},
|
||||
[Jurisdiction.CN] = new()
|
||||
{
|
||||
Jurisdiction = Jurisdiction.CN,
|
||||
PreferredSources = ["cnvd", "cnnvd", "vendor"],
|
||||
PreferGovernmentSources = true,
|
||||
MinimumTrustWeight = 0.5,
|
||||
TrustWeightOverrides = new Dictionary<string, double>
|
||||
{
|
||||
["cnvd"] = 0.95,
|
||||
["cnnvd"] = 0.95,
|
||||
["vendor"] = 0.80
|
||||
}.ToImmutableDictionary()
|
||||
},
|
||||
[Jurisdiction.Global] = new()
|
||||
{
|
||||
Jurisdiction = Jurisdiction.Global,
|
||||
PreferredSources = ["vendor", "osv", "github-advisory"],
|
||||
PreferGovernmentSources = false,
|
||||
MinimumTrustWeight = 0.3,
|
||||
TrustWeightOverrides = new Dictionary<string, double>
|
||||
{
|
||||
["vendor"] = 0.90,
|
||||
["osv"] = 0.75,
|
||||
["github-advisory"] = 0.70
|
||||
}.ToImmutableDictionary()
|
||||
}
|
||||
}.ToImmutableDictionary();
|
||||
|
||||
public JurisdictionTrustService(
|
||||
IReadOnlyDictionary<Jurisdiction, JurisdictionTrustConfig>? configs = null)
|
||||
{
|
||||
_configs = configs ?? DefaultConfigs;
|
||||
}
|
||||
|
||||
public double GetEffectiveTrustWeight(VexSource source, Jurisdiction jurisdiction)
|
||||
{
|
||||
if (!_configs.TryGetValue(jurisdiction, out var config))
|
||||
{
|
||||
config = DefaultConfigs[Jurisdiction.Global];
|
||||
}
|
||||
|
||||
// Check for explicit override
|
||||
if (config.TrustWeightOverrides.TryGetValue(source.Id, out var overrideWeight))
|
||||
{
|
||||
return overrideWeight;
|
||||
}
|
||||
|
||||
var weight = source.BaseTrustWeight;
|
||||
|
||||
// Bonus for government sources in jurisdictions that prefer them
|
||||
if (config.PreferGovernmentSources && source.IsGovernmentAuthority)
|
||||
{
|
||||
weight *= 1.2;
|
||||
}
|
||||
|
||||
// Bonus for sources that list this jurisdiction as authoritative
|
||||
if (source.Jurisdictions.Contains(jurisdiction))
|
||||
{
|
||||
weight *= 1.1;
|
||||
}
|
||||
|
||||
// Penalty for non-preferred sources
|
||||
var preferenceIndex = config.PreferredSources
|
||||
.Select((id, i) => (id, i))
|
||||
.FirstOrDefault(x => x.id == source.Id).i;
|
||||
|
||||
if (preferenceIndex > 0)
|
||||
{
|
||||
weight *= 1.0 - (preferenceIndex * 0.05);
|
||||
}
|
||||
|
||||
return Math.Clamp(weight, 0.0, 1.0);
|
||||
}
|
||||
|
||||
public IReadOnlyList<VexSource> RankSourcesByTrust(
|
||||
IEnumerable<VexSource> sources,
|
||||
Jurisdiction jurisdiction)
|
||||
{
|
||||
return sources
|
||||
.OrderByDescending(s => GetEffectiveTrustWeight(s, jurisdiction))
|
||||
.ToList();
|
||||
}
|
||||
|
||||
public JurisdictionValidationResult ValidateForJurisdiction(
|
||||
VexDecisionContext decision,
|
||||
Jurisdiction jurisdiction)
|
||||
{
|
||||
if (!_configs.TryGetValue(jurisdiction, out var config))
|
||||
{
|
||||
config = DefaultConfigs[Jurisdiction.Global];
|
||||
}
|
||||
|
||||
var issues = new List<string>();
|
||||
var suggestions = new List<string>();
|
||||
|
||||
var effectiveWeight = GetEffectiveTrustWeight(decision.Source, jurisdiction);
|
||||
|
||||
// Check minimum trust weight
|
||||
if (effectiveWeight < config.MinimumTrustWeight)
|
||||
{
|
||||
issues.Add($"Source trust weight ({effectiveWeight:P0}) below minimum ({config.MinimumTrustWeight:P0})");
|
||||
suggestions.Add("Consider obtaining VEX from a higher-trust source");
|
||||
}
|
||||
|
||||
// Check government preference
|
||||
if (config.PreferGovernmentSources && !decision.Source.IsGovernmentAuthority)
|
||||
{
|
||||
suggestions.Add($"Jurisdiction {jurisdiction} prefers government sources");
|
||||
}
|
||||
|
||||
// Check signature requirement for high-trust decisions
|
||||
if (effectiveWeight >= 0.8 && !decision.IsSigned)
|
||||
{
|
||||
issues.Add("High-trust VEX decisions should be cryptographically signed");
|
||||
suggestions.Add("Request signed VEX statement from source");
|
||||
}
|
||||
|
||||
// Check required source types
|
||||
if (config.RequiredSourceTypes.Length > 0 &&
|
||||
!config.RequiredSourceTypes.Contains(decision.Source.Type))
|
||||
{
|
||||
issues.Add($"Source type {decision.Source.Type} not in required types");
|
||||
}
|
||||
|
||||
return new JurisdictionValidationResult
|
||||
{
|
||||
IsValid = issues.Count == 0,
|
||||
EffectiveTrustWeight = effectiveWeight,
|
||||
Issues = issues.ToImmutableArray(),
|
||||
Suggestions = suggestions.ToImmutableArray()
|
||||
};
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,571 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// VexCustomerOverride.cs
|
||||
// Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
|
||||
// Task: VEX-L-004 - Customer override with signed audit trail
|
||||
// Description: Customer-initiated VEX overrides with cryptographic audit trail.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System;
|
||||
using System.Collections.Immutable;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Policy.Vex;
|
||||
|
||||
/// <summary>
|
||||
/// Customer-initiated VEX override with full audit trail.
|
||||
/// </summary>
|
||||
public sealed record VexCustomerOverride
|
||||
{
|
||||
/// <summary>
|
||||
/// Unique override identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("id")]
|
||||
public required string Id { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// CVE or vulnerability ID being overridden.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vulnerabilityId")]
|
||||
public required string VulnerabilityId { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Product or component PURL.
|
||||
/// </summary>
|
||||
[JsonPropertyName("productPurl")]
|
||||
public required string ProductPurl { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Original VEX status from source.
|
||||
/// </summary>
|
||||
[JsonPropertyName("originalStatus")]
|
||||
public required string OriginalStatus { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Overridden VEX status.
|
||||
/// </summary>
|
||||
[JsonPropertyName("overrideStatus")]
|
||||
public required string OverrideStatus { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Justification for the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("justification")]
|
||||
public required VexOverrideJustification Justification { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// User who created the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("createdBy")]
|
||||
public required OverrideActor CreatedBy { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// When the override was created.
|
||||
/// </summary>
|
||||
[JsonPropertyName("createdAt")]
|
||||
public required DateTimeOffset CreatedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Approvers (for multi-party approval).
|
||||
/// </summary>
|
||||
[JsonPropertyName("approvers")]
|
||||
public ImmutableArray<OverrideApproval> Approvers { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Expiration time for the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("expiresAt")]
|
||||
public DateTimeOffset? ExpiresAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether the override is currently active.
|
||||
/// </summary>
|
||||
[JsonPropertyName("isActive")]
|
||||
public bool IsActive { get; init; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Scope of the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("scope")]
|
||||
public required OverrideScope Scope { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Cryptographic signature of the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("signature")]
|
||||
public OverrideSignature? Signature { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Evidence references supporting the override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("evidenceRefs")]
|
||||
public ImmutableArray<string> EvidenceRefs { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Tags for categorization.
|
||||
/// </summary>
|
||||
[JsonPropertyName("tags")]
|
||||
public ImmutableArray<string> Tags { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Audit events for this override.
|
||||
/// </summary>
|
||||
[JsonPropertyName("auditTrail")]
|
||||
public ImmutableArray<OverrideAuditEvent> AuditTrail { get; init; } = [];
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Justification for a VEX override.
|
||||
/// </summary>
|
||||
public sealed record VexOverrideJustification
|
||||
{
|
||||
/// <summary>
|
||||
/// Justification category.
|
||||
/// </summary>
|
||||
[JsonPropertyName("category")]
|
||||
public required OverrideJustificationCategory Category { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Detailed explanation.
|
||||
/// </summary>
|
||||
[JsonPropertyName("explanation")]
|
||||
public required string Explanation { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Compensating controls in place.
|
||||
/// </summary>
|
||||
[JsonPropertyName("compensatingControls")]
|
||||
public ImmutableArray<string> CompensatingControls { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Risk acceptance level.
|
||||
/// </summary>
|
||||
[JsonPropertyName("riskAcceptanceLevel")]
|
||||
public RiskAcceptanceLevel? RiskAcceptanceLevel { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Remediation plan if applicable.
|
||||
/// </summary>
|
||||
[JsonPropertyName("remediationPlan")]
|
||||
public RemediationPlan? RemediationPlan { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Categories for override justification.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum OverrideJustificationCategory
|
||||
{
|
||||
/// <summary>Vendor analysis incorrect.</summary>
|
||||
VendorAnalysisIncorrect,
|
||||
|
||||
/// <summary>Compensating controls in place.</summary>
|
||||
CompensatingControls,
|
||||
|
||||
/// <summary>Not applicable to deployment context.</summary>
|
||||
NotApplicableToContext,
|
||||
|
||||
/// <summary>Risk accepted per policy.</summary>
|
||||
RiskAccepted,
|
||||
|
||||
/// <summary>False positive confirmed.</summary>
|
||||
FalsePositive,
|
||||
|
||||
/// <summary>Component not in use.</summary>
|
||||
ComponentNotInUse,
|
||||
|
||||
/// <summary>Vulnerable code path not reachable.</summary>
|
||||
CodePathNotReachable,
|
||||
|
||||
/// <summary>Already mitigated by other means.</summary>
|
||||
AlreadyMitigated,
|
||||
|
||||
/// <summary>Business critical exception.</summary>
|
||||
BusinessException
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Risk acceptance levels.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum RiskAcceptanceLevel
|
||||
{
|
||||
/// <summary>Low risk accepted.</summary>
|
||||
Low,
|
||||
|
||||
/// <summary>Medium risk accepted.</summary>
|
||||
Medium,
|
||||
|
||||
/// <summary>High risk accepted (requires senior approval).</summary>
|
||||
High,
|
||||
|
||||
/// <summary>Critical risk accepted (requires executive approval).</summary>
|
||||
Critical
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Remediation plan for accepted risk.
|
||||
/// </summary>
|
||||
public sealed record RemediationPlan
|
||||
{
|
||||
/// <summary>
|
||||
/// Target remediation date.
|
||||
/// </summary>
|
||||
[JsonPropertyName("targetDate")]
|
||||
public required DateTimeOffset TargetDate { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Remediation steps.
|
||||
/// </summary>
|
||||
[JsonPropertyName("steps")]
|
||||
public ImmutableArray<string> Steps { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Ticket/issue reference.
|
||||
/// </summary>
|
||||
[JsonPropertyName("ticketRef")]
|
||||
public string? TicketRef { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Assigned owner.
|
||||
/// </summary>
|
||||
[JsonPropertyName("owner")]
|
||||
public string? Owner { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Actor who created or modified an override.
|
||||
/// </summary>
|
||||
public sealed record OverrideActor
|
||||
{
|
||||
/// <summary>
|
||||
/// User identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("userId")]
|
||||
public required string UserId { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// User display name.
|
||||
/// </summary>
|
||||
[JsonPropertyName("displayName")]
|
||||
public required string DisplayName { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// User email.
|
||||
/// </summary>
|
||||
[JsonPropertyName("email")]
|
||||
public string? Email { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// User role at time of action.
|
||||
/// </summary>
|
||||
[JsonPropertyName("role")]
|
||||
public string? Role { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Organization/tenant.
|
||||
/// </summary>
|
||||
[JsonPropertyName("organization")]
|
||||
public string? Organization { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Approval for an override.
|
||||
/// </summary>
|
||||
public sealed record OverrideApproval
|
||||
{
|
||||
/// <summary>
|
||||
/// Approver details.
|
||||
/// </summary>
|
||||
[JsonPropertyName("approver")]
|
||||
public required OverrideActor Approver { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// When approved.
|
||||
/// </summary>
|
||||
[JsonPropertyName("approvedAt")]
|
||||
public required DateTimeOffset ApprovedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Approval comment.
|
||||
/// </summary>
|
||||
[JsonPropertyName("comment")]
|
||||
public string? Comment { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Signature of approval.
|
||||
/// </summary>
|
||||
[JsonPropertyName("signature")]
|
||||
public OverrideSignature? Signature { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Scope of an override.
|
||||
/// </summary>
|
||||
public sealed record OverrideScope
|
||||
{
|
||||
/// <summary>
|
||||
/// Scope type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("type")]
|
||||
public required OverrideScopeType Type { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Specific artifact digests if scoped.
|
||||
/// </summary>
|
||||
[JsonPropertyName("artifactDigests")]
|
||||
public ImmutableArray<string> ArtifactDigests { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Environment names if scoped.
|
||||
/// </summary>
|
||||
[JsonPropertyName("environments")]
|
||||
public ImmutableArray<string> Environments { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Version range if scoped.
|
||||
/// </summary>
|
||||
[JsonPropertyName("versionRange")]
|
||||
public string? VersionRange { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Scope types for overrides.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum OverrideScopeType
|
||||
{
|
||||
/// <summary>Applies to all versions of the product.</summary>
|
||||
AllVersions,
|
||||
|
||||
/// <summary>Applies to specific version range.</summary>
|
||||
VersionRange,
|
||||
|
||||
/// <summary>Applies to specific artifacts only.</summary>
|
||||
SpecificArtifacts,
|
||||
|
||||
/// <summary>Applies to specific environments only.</summary>
|
||||
EnvironmentScoped
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Cryptographic signature for override.
|
||||
/// </summary>
|
||||
public sealed record OverrideSignature
|
||||
{
|
||||
/// <summary>
|
||||
/// Signature algorithm.
|
||||
/// </summary>
|
||||
[JsonPropertyName("algorithm")]
|
||||
public required string Algorithm { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Key identifier.
|
||||
/// </summary>
|
||||
[JsonPropertyName("keyId")]
|
||||
public required string KeyId { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Signature value (base64).
|
||||
/// </summary>
|
||||
[JsonPropertyName("signature")]
|
||||
public required string Signature { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Timestamp of signing.
|
||||
/// </summary>
|
||||
[JsonPropertyName("signedAt")]
|
||||
public required DateTimeOffset SignedAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Certificate chain (PEM, if available).
|
||||
/// </summary>
|
||||
[JsonPropertyName("certificateChain")]
|
||||
public string? CertificateChain { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Audit event for override lifecycle.
|
||||
/// </summary>
|
||||
public sealed record OverrideAuditEvent
|
||||
{
|
||||
/// <summary>
|
||||
/// Event timestamp.
|
||||
/// </summary>
|
||||
[JsonPropertyName("timestamp")]
|
||||
public required DateTimeOffset Timestamp { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Event type.
|
||||
/// </summary>
|
||||
[JsonPropertyName("eventType")]
|
||||
public required OverrideAuditEventType EventType { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Actor who caused the event.
|
||||
/// </summary>
|
||||
[JsonPropertyName("actor")]
|
||||
public required OverrideActor Actor { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Event details.
|
||||
/// </summary>
|
||||
[JsonPropertyName("details")]
|
||||
public string? Details { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Previous value (for changes).
|
||||
/// </summary>
|
||||
[JsonPropertyName("previousValue")]
|
||||
public string? PreviousValue { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// New value (for changes).
|
||||
/// </summary>
|
||||
[JsonPropertyName("newValue")]
|
||||
public string? NewValue { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// IP address of actor.
|
||||
/// </summary>
|
||||
[JsonPropertyName("ipAddress")]
|
||||
public string? IpAddress { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Event signature for tamper-evidence.
|
||||
/// </summary>
|
||||
[JsonPropertyName("eventSignature")]
|
||||
public string? EventSignature { get; init; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Audit event types.
|
||||
/// </summary>
|
||||
[JsonConverter(typeof(JsonStringEnumConverter))]
|
||||
public enum OverrideAuditEventType
|
||||
{
|
||||
/// <summary>Override created.</summary>
|
||||
Created,
|
||||
|
||||
/// <summary>Override approved.</summary>
|
||||
Approved,
|
||||
|
||||
/// <summary>Override rejected.</summary>
|
||||
Rejected,
|
||||
|
||||
/// <summary>Override modified.</summary>
|
||||
Modified,
|
||||
|
||||
/// <summary>Override expired.</summary>
|
||||
Expired,
|
||||
|
||||
/// <summary>Override revoked.</summary>
|
||||
Revoked,
|
||||
|
||||
/// <summary>Override renewed.</summary>
|
||||
Renewed,
|
||||
|
||||
/// <summary>Override applied to scan.</summary>
|
||||
Applied,
|
||||
|
||||
/// <summary>Override viewed.</summary>
|
||||
Viewed
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Service for managing customer VEX overrides.
|
||||
/// </summary>
|
||||
public interface IVexOverrideService
|
||||
{
|
||||
/// <summary>
|
||||
/// Creates a new override.
|
||||
/// </summary>
|
||||
Task<VexCustomerOverride> CreateOverrideAsync(
|
||||
CreateOverrideRequest request,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Approves an override.
|
||||
/// </summary>
|
||||
Task<VexCustomerOverride> ApproveOverrideAsync(
|
||||
string overrideId,
|
||||
OverrideApproval approval,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Revokes an override.
|
||||
/// </summary>
|
||||
Task<VexCustomerOverride> RevokeOverrideAsync(
|
||||
string overrideId,
|
||||
OverrideActor actor,
|
||||
string reason,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Gets active overrides for a vulnerability.
|
||||
/// </summary>
|
||||
Task<IReadOnlyList<VexCustomerOverride>> GetActiveOverridesAsync(
|
||||
string vulnerabilityId,
|
||||
string? productPurl = null,
|
||||
CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Gets the audit trail for an override.
|
||||
/// </summary>
|
||||
Task<IReadOnlyList<OverrideAuditEvent>> GetAuditTrailAsync(
|
||||
string overrideId,
|
||||
CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Request to create an override.
|
||||
/// </summary>
|
||||
public sealed record CreateOverrideRequest
|
||||
{
|
||||
/// <summary>
|
||||
/// Vulnerability ID.
|
||||
/// </summary>
|
||||
[JsonPropertyName("vulnerabilityId")]
|
||||
public required string VulnerabilityId { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Product PURL.
|
||||
/// </summary>
|
||||
[JsonPropertyName("productPurl")]
|
||||
public required string ProductPurl { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Override status.
|
||||
/// </summary>
|
||||
[JsonPropertyName("overrideStatus")]
|
||||
public required string OverrideStatus { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Justification.
|
||||
/// </summary>
|
||||
[JsonPropertyName("justification")]
|
||||
public required VexOverrideJustification Justification { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Scope.
|
||||
/// </summary>
|
||||
[JsonPropertyName("scope")]
|
||||
public required OverrideScope Scope { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Expiration.
|
||||
/// </summary>
|
||||
[JsonPropertyName("expiresAt")]
|
||||
public DateTimeOffset? ExpiresAt { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Evidence references.
|
||||
/// </summary>
|
||||
[JsonPropertyName("evidenceRefs")]
|
||||
public ImmutableArray<string> EvidenceRefs { get; init; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Tags.
|
||||
/// </summary>
|
||||
[JsonPropertyName("tags")]
|
||||
public ImmutableArray<string> Tags { get; init; } = [];
|
||||
}
|
||||
Reference in New Issue
Block a user