more features checks. setup improvements
This commit is contained in:
master
39
docs/features/checked/policy/epss-threshold-policy-gate.md
Normal file
39
docs/features/checked/policy/epss-threshold-policy-gate.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# EPSS Threshold Policy Gate
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Policy gate that evaluates EPSS probability thresholds to block or allow releases based on configurable risk bands and delta thresholds.
|
||||
|
||||
## Implementation Details
|
||||
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs` -- multi-gate evaluation including EPSS-aware gates
|
||||
- EPSS thresholds integrated into evidence and confidence gate evaluation
|
||||
- Gate result types: Pass, PassWithNote, Warn, Block, Skip
|
||||
- **UnknownRanker EPSS Scoring**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- EPSS exploit pressure
|
||||
- EPSS >= 0.90: +0.30 (critical exploit likelihood)
|
||||
- EPSS >= 0.50: +0.15 (significant exploit likelihood)
|
||||
- CVSS >= 9.0: +0.05 (additional severity factor)
|
||||
- Combined with KEV status (+0.50) for total exploit pressure
|
||||
- Exploit pressure feeds into band assignment: Hot >= 75, Warm >= 50, Cold >= 25
|
||||
- **Risk Profile Scoring**: `src/Policy/StellaOps.Policy.Engine/Scoring/` -- EPSS as scoring signal
|
||||
- `ScoringProfileService.cs` -- profile configuration includes EPSS weights
|
||||
- `ScorePolicyService.cs` -- EPSS threshold evaluation per policy
|
||||
- `IScoringEngine.cs` interface with EPSS-aware implementations
|
||||
- **CVSS + EPSS Combined Scoring**: `src/Policy/StellaOps.Policy.Scoring/` -- CVSS and EPSS used together
|
||||
- CVSS provides severity; EPSS provides exploit probability
|
||||
- Combined score informs gate decisions
|
||||
- **Risk Budget Integration**: EPSS-driven unknowns affect budget consumption
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.85; verify gate blocks
|
||||
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.50; verify gate allows
|
||||
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.95 produces exploit pressure 0.80 (0.50+0.30)
|
||||
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.50 produces exploit pressure 0.65 (0.50+0.15)
|
||||
- [ ] Verify HOT band assignment for finding with total score >= 75 (high EPSS + high uncertainty)
|
||||
- [ ] Verify band transition from WARM to HOT when EPSS score increases above 0.90
|
||||
- [ ] Verify EPSS delta: finding with rising EPSS triggers re-evaluation
|
||||
- [ ] Verify scoring profile weights EPSS contribution correctly
|
||||
Reference in New Issue
Block a user