# CVSS + KEV Risk Signal Combination ## Module RiskEngine ## Status VERIFIED ## Description Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula: `clamp01((cvss/10) + kevBonus)` where `kevBonus = 0.2` if KEV-listed, `0` otherwise. Uses `Math.Round(..., 6, MidpointRounding.ToEven)` for determinism. ## Implementation Details - **CVSS+KEV Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs` -- implements `IRiskScoreProvider`. Combines CVSS base scores with CISA KEV catalog data. KEV-listed vulnerabilities receive a +0.2 risk boost. Deterministic rounding. - **Risk Score Provider Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs` -- `IRiskScoreProvider` interface (`Name`, `ScoreAsync`) and `IRiskScoreProviderRegistry` with in-memory dictionary implementation. - **CVSS+KEV Sources Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs` -- `ICvssSource` (returns `double?` CVSS 0-10) and `IKevSource` (returns `bool?`). Includes null-object implementations. - **VEX Gate Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs` -- implements `IRiskScoreProvider`. Short-circuits to `0d` when `HasDenial >= 1` signal present; otherwise returns max of remaining signals clamped to [0,1]. - **Fix Exposure Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs` -- weighted formula: `0.5 * FixAvailability + 0.3 * Criticality + 0.2 * Exposure`. Missing signals default to 0. - **Fix Chain Risk Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs` (349 lines) -- implements both `IRiskScoreProvider` and `IFixChainRiskProvider`. Computes risk adjustment based on fix verification status and confidence. Configurable via `FixChainRiskOptions`. - **Fix Chain Attestation Client**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs` (253 lines) -- HTTP-based client with `IMemoryCache` integration, positive/negative caching, JSON deserialization. - **Fix Chain Metrics/Display**: `FixChainRiskMetrics.cs` (OpenTelemetry counters/histograms), `FixChainRiskDisplay.cs` (badge, tooltip, summary). - **Default Transforms Provider**: `DefaultTransformsProvider.cs` -- signal clamping and averaging with deterministic ordering. - **Score Request/Result**: `ScoreRequest.cs`, `RiskScoreResult.cs` -- request/response models. - **Risk Score Worker/Queue**: `RiskScoreWorker.cs` (background worker), `RiskScoreQueue.cs` (Channel-based FIFO queue with bounded/unbounded options). ## E2E Test Plan - [x] Submit a score request for a CVE with CVSS 7.5 listed in KEV and verify combined risk score is higher than CVSS alone - [x] Submit same CVSS score without KEV and verify no KEV boost - [x] VEX gate: submit KEV-listed CVE with VEX "not_affected" and verify VexGateProvider reduces score - [x] Fix chain: submit CVE with verified fix attestation and verify FixChainRiskProvider reduces score - [x] Determinism: compute same risk score multiple times and verify bit-for-bit identical results - [x] Verify risk score worker processes queued requests and stores results ## Verification - **Verified**: 2026-02-10 - **Method**: Tier 1 code review + Tier 2d test verification - **Build**: Core and Infrastructure projects build cleanly (0 errors, 0 warnings). Worker/WebService have deprecation notices but compile. - **Tests**: 44+ tests covering this feature across 4 test files (UnitTest1/RiskScoreWorkerTests: 17, RiskEngineApiTests: 4, FixChainRiskProviderTests: 13, FixChainRiskIntegrationTests: 10). All 55/55 module tests pass.