Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00
parent 7ac70ece71
commit bc4318ef97
88 changed files with 6974 additions and 1230 deletions
--- a/docs2/risk/factors.md
+++ b/docs2/risk/factors.md
@@ -0,0 +1,29 @@
+# Risk factors
+
+Purpose
+- Define factor catalog and normalization rules for risk scoring.
+
+Factor catalog (examples)
+- CVSS or exploit likelihood: numeric 0-10 normalized to 0-1.
+- KEV flag: boolean boost with provenance.
+- Reachability: numeric with entrypoint and path provenance.
+- Runtime facts: categorical or numeric with trace references.
+- Fix availability: vendor status and mitigation context.
+- Asset criticality: tenant or service criticality signals.
+- Provenance trust: categorical trust tier with attestation hash.
+- Custom overrides: scoped, expiring, and auditable.
+
+Normalization rules
+- Validate against profile signal types and transforms.
+- Clamp numeric inputs to 0-1 and record original values in provenance.
+- Apply TTL or decay deterministically; drop expired signals.
+- Precedence: signed over unsigned, runtime over static, newer over older.
+
+Determinism and ordering
+- Sort factors by factor type, source, then timestamp.
+- Hash fixtures and record SHA256 in docs/risk/samples/factors/.
+
+Related references
+- risk/overview.md
+- risk/formulas.md
+- risk/profiles.md