save checkpoint
This commit is contained in:
master
45
docs/features/checked/policy/unknowns-ranking-algorithm.md
Normal file
45
docs/features/checked/policy/unknowns-ranking-algorithm.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# Unknowns Ranking Algorithm (HOT/WARM/COLD bands)
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Unknown ranker with weighted scoring (popularity, exploit potential, uncertainty density, centrality, staleness), HOT/WARM/COLD band assignment, and BlastRadius model. Database migration for blast radius/containment exists.
|
||||
|
||||
## Implementation Details
|
||||
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` (sealed class)
|
||||
- Two-factor scoring: Score = (Uncertainty * 50) + (ExploitPressure * 50)
|
||||
- **Uncertainty factors** (sum capped at 1.0):
|
||||
- Missing VEX: +0.40
|
||||
- Missing reachability: +0.30
|
||||
- Conflicting signals: +0.20
|
||||
- Stale evidence: +0.10
|
||||
- **Exploit pressure factors** (sum capped at 1.0):
|
||||
- KEV flagged: +0.50
|
||||
- EPSS >= 0.90: +0.30
|
||||
- EPSS >= 0.50: +0.15
|
||||
- CVSS >= 9.0: +0.05
|
||||
- **Containment reduction** (capped at 40%):
|
||||
- Isolated: 15%, NotNetFacing: 5%, NonRoot: 5%, Seccomp: 10%, FsRO: 10%, NetworkIsolated: 5%
|
||||
- **Time decay**: 7d=100%, 30d=90%, 90d=75%, 180d=60%, 365d=40%, >365d=20%
|
||||
- **Band assignment**: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
|
||||
- **Reason codes**: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown
|
||||
- **BlastRadius model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs`
|
||||
- Dependents (int), NetFacing (bool), Privilege (string?)
|
||||
- **UnknownRankerOptions**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRankerOptions.cs` -- configurable weights and thresholds
|
||||
- **UnknownRankInput**: includes EpssScore, CvssScore, IsKev, ContainmentSignals, LastEvaluatedAt, ReasonCodes
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Rank unknown with missing VEX + KEV flagged; verify score = (0.40*50) + (0.50*50) = 45; band=Warm
|
||||
- [ ] Rank unknown with missing VEX + missing reachability + KEV + EPSS=0.95; verify score = (0.70*50) + (0.80*50) = 75; band=Hot
|
||||
- [ ] Rank unknown with no uncertainty + no exploit pressure; verify score=0; band=Negligible
|
||||
- [ ] Rank unknown with Isolated containment; verify 15% reduction from raw score
|
||||
- [ ] Rank unknown with all containment signals; verify exactly 40% reduction (cap)
|
||||
- [ ] Rank unknown last evaluated 90 days ago; verify decay factor=0.75 applied
|
||||
- [ ] Rank unknown last evaluated 365 days ago; verify decay factor=0.40 applied
|
||||
- [ ] Verify band assignment: score 80 -> Hot, score 55 -> Warm, score 30 -> Cold, score 10 -> Negligible
|
||||
- [ ] Verify reason codes: unknown with VexConflict produces reason=VexConflict
|
||||
- [ ] Verify deterministic ranking: same inputs always produce same score and band
|
||||
Reference in New Issue
Block a user