save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/scanner/epss-change-events-for-reanalysis-triggers.md
+++ b/docs/features/checked/scanner/epss-change-events-for-reanalysis-triggers.md
@@ -0,0 +1,50 @@
+# EPSS Change Events for Reanalysis Triggers
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Deterministic EPSS change events with per-CVE deltas, priority bands, idempotent event IDs, and scan manifests extended with tool versions and evidence digests for policy fingerprinting.
+
+## Implementation Details
+- **EPSS Change Detection**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeDetector.cs` - Detects EPSS score changes per CVE
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeRecord.cs` - Change record model with deltas
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssChangeEvent.cs` - Deterministic change event with idempotent event ID
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs` - Updated event for signal dispatch
+- **EPSS Provider & Caching**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/IEpssProvider.cs` - Interface for EPSS data access
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs` - PostgreSQL-backed EPSS provider
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs` - Cached EPSS provider
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssPriorityBand.cs` - Priority band classification
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssEvidence.cs` - EPSS evidence model
+- **Signal Publishing**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs` - Signal publisher interface
+- **Worker Jobs**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs` - EPSS enrichment job
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - EPSS data ingestion job
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs` - EPSS signal dispatch job
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentStageExecutor.cs` - Stage executor for scan pipeline
+- **API**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs` - `EpssEndpoints` with batch lookup, history, and status
+
+## E2E Test Plan
+- [ ] Ingest EPSS data and verify change detection identifies CVEs with score deltas
+- [ ] Verify idempotent event IDs are deterministic for the same CVE/delta combination
+- [ ] Verify priority band classification (critical, high, medium, low) based on EPSS score thresholds
+- [ ] Verify EPSS change events trigger scan reanalysis for affected artifacts
+- [ ] Call `POST /api/v1/epss/batch` with CVE IDs and verify EPSS scores are returned
+- [ ] Call `GET /api/v1/epss/{cveId}/history` and verify EPSS score history with change events
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |