Add tests for SBOM generation determinism across multiple formats
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
28
docs2/risk/formulas.md
Normal file
28
docs2/risk/formulas.md
Normal file
@@ -0,0 +1,28 @@
|
||||
# Risk formulas
|
||||
|
||||
Purpose
|
||||
- Define how normalized factors combine into a risk score and severity.
|
||||
|
||||
Formula building blocks
|
||||
- Weighted sum with per-factor caps and family caps.
|
||||
- Normalize raw score to 0-1 and apply gates.
|
||||
- VEX gate: not_affected can short-circuit to 0.0.
|
||||
- CVSS + KEV boost: clamp01((cvss/10) + kev_bonus).
|
||||
- Trust gates: fail or down-weight low-trust provenance.
|
||||
- Decay: apply time-based decay to stale signals.
|
||||
- Overrides: tenant or asset overrides with expiry and audit.
|
||||
|
||||
Severity mapping
|
||||
- Map normalized_score to critical, high, medium, low, informational.
|
||||
- Store band rationale in explainability output.
|
||||
|
||||
Determinism
|
||||
- Stable factor ordering before aggregation.
|
||||
- Fixed precision (example: 4 decimals) before severity mapping.
|
||||
- Hash fixtures and record SHA256 in docs/risk/samples/formulas/.
|
||||
|
||||
Related references
|
||||
- risk/overview.md
|
||||
- risk/factors.md
|
||||
- risk/profiles.md
|
||||
- risk/explainability.md
|
||||
Reference in New Issue
Block a user