stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
master
2025-11-28 18:21:46 +02:00
parent 05da719048
commit d1cbb905f8
103 changed files with 49604 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

354
src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs Normal file
View File

@@ -0,0 +1,354 @@
using System.Text.Json.Serialization;
namespace StellaOps.Policy.Scoring;
/// <summary>
/// CVSS v4.0 Base metric group - Exploitability and impact metrics.
/// Per FIRST CVSS v4.0 Specification Document.
/// </summary>
public sealed record CvssBaseMetrics
{
/// <summary>Attack Vector (AV) - Mandatory.</summary>
[JsonPropertyName("av")]
public required AttackVector AttackVector { get; init; }
/// <summary>Attack Complexity (AC) - Mandatory.</summary>
[JsonPropertyName("ac")]
public required AttackComplexity AttackComplexity { get; init; }
/// <summary>Attack Requirements (AT) - Mandatory.</summary>
[JsonPropertyName("at")]
public required AttackRequirements AttackRequirements { get; init; }
/// <summary>Privileges Required (PR) - Mandatory.</summary>
[JsonPropertyName("pr")]
public required PrivilegesRequired PrivilegesRequired { get; init; }
/// <summary>User Interaction (UI) - Mandatory.</summary>
[JsonPropertyName("ui")]
public required UserInteraction UserInteraction { get; init; }
/// <summary>Vulnerable System Confidentiality (VC) - Mandatory.</summary>
[JsonPropertyName("vc")]
public required ImpactMetricValue VulnerableSystemConfidentiality { get; init; }
/// <summary>Vulnerable System Integrity (VI) - Mandatory.</summary>
[JsonPropertyName("vi")]
public required ImpactMetricValue VulnerableSystemIntegrity { get; init; }
/// <summary>Vulnerable System Availability (VA) - Mandatory.</summary>
[JsonPropertyName("va")]
public required ImpactMetricValue VulnerableSystemAvailability { get; init; }
/// <summary>Subsequent System Confidentiality (SC) - Mandatory.</summary>
[JsonPropertyName("sc")]
public required ImpactMetricValue SubsequentSystemConfidentiality { get; init; }
/// <summary>Subsequent System Integrity (SI) - Mandatory.</summary>
[JsonPropertyName("si")]
public required ImpactMetricValue SubsequentSystemIntegrity { get; init; }
/// <summary>Subsequent System Availability (SA) - Mandatory.</summary>
[JsonPropertyName("sa")]
public required ImpactMetricValue SubsequentSystemAvailability { get; init; }
}
/// <summary>
/// CVSS v4.0 Threat metric group.
/// </summary>
public sealed record CvssThreatMetrics
{
/// <summary>Exploit Maturity (E) - Optional, defaults to Not Defined.</summary>
[JsonPropertyName("e")]
public ExploitMaturity ExploitMaturity { get; init; } = ExploitMaturity.NotDefined;
}
/// <summary>
/// CVSS v4.0 Environmental metric group - Modified base metrics for specific environments.
/// </summary>
public sealed record CvssEnvironmentalMetrics
{
/// <summary>Modified Attack Vector (MAV).</summary>
[JsonPropertyName("mav")]
public ModifiedAttackVector? ModifiedAttackVector { get; init; }
/// <summary>Modified Attack Complexity (MAC).</summary>
[JsonPropertyName("mac")]
public ModifiedAttackComplexity? ModifiedAttackComplexity { get; init; }
/// <summary>Modified Attack Requirements (MAT).</summary>
[JsonPropertyName("mat")]
public ModifiedAttackRequirements? ModifiedAttackRequirements { get; init; }
/// <summary>Modified Privileges Required (MPR).</summary>
[JsonPropertyName("mpr")]
public ModifiedPrivilegesRequired? ModifiedPrivilegesRequired { get; init; }
/// <summary>Modified User Interaction (MUI).</summary>
[JsonPropertyName("mui")]
public ModifiedUserInteraction? ModifiedUserInteraction { get; init; }
/// <summary>Modified Vulnerable System Confidentiality (MVC).</summary>
[JsonPropertyName("mvc")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemConfidentiality { get; init; }
/// <summary>Modified Vulnerable System Integrity (MVI).</summary>
[JsonPropertyName("mvi")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemIntegrity { get; init; }
/// <summary>Modified Vulnerable System Availability (MVA).</summary>
[JsonPropertyName("mva")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemAvailability { get; init; }
/// <summary>Modified Subsequent System Confidentiality (MSC).</summary>
[JsonPropertyName("msc")]
public ModifiedImpactMetricValue? ModifiedSubsequentSystemConfidentiality { get; init; }
/// <summary>Modified Subsequent System Integrity (MSI).</summary>
[JsonPropertyName("msi")]
public ModifiedSubsequentImpact? ModifiedSubsequentSystemIntegrity { get; init; }
/// <summary>Modified Subsequent System Availability (MSA).</summary>
[JsonPropertyName("msa")]
public ModifiedSubsequentImpact? ModifiedSubsequentSystemAvailability { get; init; }
/// <summary>Confidentiality Requirement (CR).</summary>
[JsonPropertyName("cr")]
public SecurityRequirement? ConfidentialityRequirement { get; init; }
/// <summary>Integrity Requirement (IR).</summary>
[JsonPropertyName("ir")]
public SecurityRequirement? IntegrityRequirement { get; init; }
/// <summary>Availability Requirement (AR).</summary>
[JsonPropertyName("ar")]
public SecurityRequirement? AvailabilityRequirement { get; init; }
}
/// <summary>
/// CVSS v4.0 Supplemental metric group - Additional context metrics that do not affect scoring.
/// </summary>
public sealed record CvssSupplementalMetrics
{
/// <summary>Safety (S) - Does the vulnerability affect human safety?</summary>
[JsonPropertyName("s")]
public Safety? Safety { get; init; }
/// <summary>Automatable (AU) - Can the vulnerability be exploited automatically?</summary>
[JsonPropertyName("au")]
public Automatable? Automatable { get; init; }
/// <summary>Recovery (R) - What is the recovery capability?</summary>
[JsonPropertyName("r")]
public Recovery? Recovery { get; init; }
/// <summary>Value Density (V) - Resource density of the vulnerable system.</summary>
[JsonPropertyName("v")]
public ValueDensity? ValueDensity { get; init; }
/// <summary>Vulnerability Response Effort (RE) - Effort required to respond.</summary>
[JsonPropertyName("re")]
public ResponseEffort? VulnerabilityResponseEffort { get; init; }
/// <summary>Provider Urgency (U) - Urgency as assessed by the provider.</summary>
[JsonPropertyName("u")]
public ProviderUrgency? ProviderUrgency { get; init; }
}
#region Base Metric Enums
/// <summary>Attack Vector values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackVector
{
/// <summary>Network (N) - Remotely exploitable.</summary>
Network,
/// <summary>Adjacent (A) - Same network segment.</summary>
Adjacent,
/// <summary>Local (L) - Local access required.</summary>
Local,
/// <summary>Physical (P) - Physical access required.</summary>
Physical
}
/// <summary>Attack Complexity values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackComplexity
{
/// <summary>Low (L) - No specialized conditions.</summary>
Low,
/// <summary>High (H) - Specialized conditions required.</summary>
High
}
/// <summary>Attack Requirements values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackRequirements
{
/// <summary>None (N) - No preconditions required.</summary>
None,
/// <summary>Present (P) - Preconditions must exist.</summary>
Present
}
/// <summary>Privileges Required values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum PrivilegesRequired
{
/// <summary>None (N) - No privileges needed.</summary>
None,
/// <summary>Low (L) - Basic user privileges needed.</summary>
Low,
/// <summary>High (H) - Admin/elevated privileges needed.</summary>
High
}
/// <summary>User Interaction values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum UserInteraction
{
/// <summary>None (N) - No user interaction required.</summary>
None,
/// <summary>Passive (P) - Involuntary user action.</summary>
Passive,
/// <summary>Active (A) - Conscious user action required.</summary>
Active
}
/// <summary>Impact metric values (None/Low/High) per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ImpactMetricValue
{
/// <summary>None (N) - No impact.</summary>
None,
/// <summary>Low (L) - Limited impact.</summary>
Low,
/// <summary>High (H) - Serious impact.</summary>
High
}
#endregion
#region Threat Metric Enums
/// <summary>Exploit Maturity values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ExploitMaturity
{
/// <summary>Not Defined (X) - Not assessed.</summary>
NotDefined,
/// <summary>Attacked (A) - Active exploitation observed.</summary>
Attacked,
/// <summary>Proof of Concept (P) - PoC code exists.</summary>
ProofOfConcept,
/// <summary>Unreported (U) - No public exploit code.</summary>
Unreported
}
#endregion
#region Environmental Metric Enums (Modified versions)
/// <summary>Modified Attack Vector values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackVector
{
NotDefined, Network, Adjacent, Local, Physical
}
/// <summary>Modified Attack Complexity values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackComplexity
{
NotDefined, Low, High
}
/// <summary>Modified Attack Requirements values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackRequirements
{
NotDefined, None, Present
}
/// <summary>Modified Privileges Required values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedPrivilegesRequired
{
NotDefined, None, Low, High
}
/// <summary>Modified User Interaction values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedUserInteraction
{
NotDefined, None, Passive, Active
}
/// <summary>Modified Impact metric values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedImpactMetricValue
{
NotDefined, None, Low, High
}
/// <summary>Modified Subsequent System Impact values (includes Safety dimension).</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedSubsequentImpact
{
NotDefined, Negligible, Low, High, Safety
}
/// <summary>Security Requirement values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum SecurityRequirement
{
NotDefined, Low, Medium, High
}
#endregion
#region Supplemental Metric Enums
/// <summary>Safety values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Safety
{
NotDefined, Negligible, Present
}
/// <summary>Automatable values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Automatable
{
NotDefined, No, Yes
}
/// <summary>Recovery values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Recovery
{
NotDefined, Automatic, User, Irrecoverable
}
/// <summary>Value Density values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ValueDensity
{
NotDefined, Diffuse, Concentrated
}
/// <summary>Response Effort values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ResponseEffort
{
NotDefined, Low, Moderate, High
}
/// <summary>Provider Urgency values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ProviderUrgency
{
NotDefined, Clear, Green, Amber, Red
}
#endregion