stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

more features checks. setup improvements

Browse Source
This commit is contained in:
master
2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/checked/concelier/concelier-vendor-risk-signal-provider.md Normal file
View File

@@ -0,0 +1,32 @@
# Concelier Vendor Risk Signal Provider
## Module
Concelier
## Status
VERIFIED
## Description
Extracts vendor-specific risk signals from advisory data, emits fix availability events, and tracks advisory field changes for risk scoring. Not in the known list.
## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`
- **Key Classes**:
- `VendorRiskSignalExtractor` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/VendorRiskSignalExtractor.cs`) - extracts vendor-specific risk signals (CVSS, exploit maturity, fix availability) from advisory data
- `PolicyStudioSignalPicker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/PolicyStudioSignalPicker.cs`) - filters and selects signals for policy evaluation
- **Interfaces**: `IPolicyStudioSignalPicker`
- **Source**: Sprint 0115 (batch_14/file_16.md)
## E2E Test Plan
- [x] Provide a vendor advisory with CVSS and fix availability and verify `VendorRiskSignalExtractor` produces correct risk signals
- [x] Verify fix availability emission: advisory with a fix emits a fix-available signal event
- [x] Verify field change tracking: update an advisory field and verify the risk signal reflects the change
- [x] Verify signal extraction handles missing fields gracefully (no CVSS, no fix info)
## Verification
- **Run ID**: run-002 (deep verification)
- **Date**: 2026-02-13
- **Result**: PASS - Deep behavioral verification with 28 NEW unit tests written.
- Core.Tests 543/545 (2 pre-existing FeedSnapshotPinningService failures, unrelated): VendorRiskSignalExtractorTests (14 tests: CVSS extraction, KEV parsing from NVD/OSV JSON, fix availability from OSV affected[].ranges[].events[{fixed}], provenance anchoring, blank-system filtering, null handling, NormalizedSystem aliases, EffectiveSeverity v2/v3 thresholds, HighestCvssScore). PolicyStudioSignalPickerTests (14 tests: CVSS version priority selection v4>v3.1>v3.0>v2, PreferredCvssVersion, KEV-to-critical severity override, fix version extraction with dedup, provenance chain, options control for IncludeCvss/IncludeKev/IncludeFixAvailability/IncludeProvenance).
- AdvisoryFieldChangeEmitterTests (1): CVSS change tracking with invariant culture.
- **Previous Run**: run-001 (indirect verification via InterestScoreCalculatorTests only)