# StellaOps Score Policy Configuration
# Policy version: score.v1
# 
# This file defines deterministic vulnerability scoring weights, buckets, and overrides.
# All weight values are in basis points (bps), where 10000 = 100%.
# The weightsBps values must sum to exactly 10000.

policyVersion: score.v1

# Weight distribution for score calculation (in basis points, sum = 10000)
weightsBps:
  baseSeverity: 1000    # 10% - Base CVSS/severity score contribution
  reachability: 4500    # 45% - Reachability analysis contribution
  evidence: 3000        # 30% - Evidence/proof contribution
  provenance: 1500      # 15% - Supply chain provenance contribution

# Reachability scoring configuration
reachability:
  # Hop bucket scoring: score decreases as number of hops increases
  hopBuckets:
    - maxHops: 0        # Direct call to vulnerable function
      score: 100
    - maxHops: 1        # 1 hop away
      score: 90
    - maxHops: 3        # 2-3 hops away
      score: 70
    - maxHops: 5        # 4-5 hops away
      score: 50
    - maxHops: 10       # 6-10 hops away
      score: 30
    - maxHops: 9999     # > 10 hops
      score: 10

  # Score when vulnerability is confirmed unreachable
  unreachableScore: 0

  # Gate multipliers reduce effective score when protective gates are detected
  # Values in basis points (10000 = 100%, no reduction)
  gateMultipliersBps:
    featureFlag: 7000        # Behind feature flag (30% reduction)
    authRequired: 8000       # Requires authentication (20% reduction)
    adminOnly: 8500          # Admin-only access (15% reduction)
    nonDefaultConfig: 7500   # Requires non-default configuration (25% reduction)

# Evidence scoring configuration
evidence:
  # Points awarded for different evidence types (0-100)
  points:
    runtime: 60     # Runtime/dynamic evidence (highest value)
    dast: 30        # Dynamic Application Security Testing
    sast: 20        # Static Application Security Testing
    sca: 10         # Software Composition Analysis (baseline)

  # Evidence freshness decay buckets
  # multiplierBps: how much of evidence value to apply based on age
  freshnessBuckets:
    - maxAgeDays: 7      # Fresh evidence (0-7 days): full value
      multiplierBps: 10000
    - maxAgeDays: 30     # Recent evidence (8-30 days): 90% value
      multiplierBps: 9000
    - maxAgeDays: 90     # Moderate age (31-90 days): 70% value
      multiplierBps: 7000
    - maxAgeDays: 180    # Aging evidence (91-180 days): 50% value
      multiplierBps: 5000
    - maxAgeDays: 365    # Old evidence (181-365 days): 30% value
      multiplierBps: 3000
    - maxAgeDays: 9999   # Stale evidence (> 1 year): 10% value
      multiplierBps: 1000

# Provenance scoring configuration
provenance:
  # Scores for different provenance levels (0-100)
  levels:
    unsigned: 0                        # No signature
    signed: 30                         # Signed artifact
    signedWithSbom: 60                 # Signed with SBOM
    signedWithSbomAndAttestations: 80  # Signed with SBOM and attestations
    reproducible: 100                  # Fully reproducible build

# Score overrides for special conditions
# Overrides are evaluated in order; first matching rule applies
overrides:
  # Example: Clamp maximum score for behind feature flags with low reachability
  - name: feature-flag-unreachable
    when:
      flags:
        featureFlag: true
      maxReachability: 20
    clampMaxScore: 30

  # Example: Minimum score for critical vulnerabilities even if unreachable
  - name: critical-minimum
    when:
      flags:
        isCritical: true
      maxReachability: 0
    clampMinScore: 25

  # Example: Override for known exploited vulnerabilities (KEV)
  - name: kev-boost
    when:
      flags:
        isKev: true
    clampMinScore: 70