# EPSS Signal-Ready Layer (Tenant-Scoped Actionable Events) ## Module Feedser ## Status VERIFIED ## Description EPSS signal emission pipeline with change detection, signal flow integration, and signal attaching to risk evaluations. EPSS evidence feeds into the policy determinization scoring system. ## Implementation Details - **EPSS Signal Attacher**: `src/Feedser/StellaOps.Feedser.Core/Signals/EpssSignalAttacher.cs` (implements `ISignalAttacher`) -- attaches EPSS probability scores to findings as risk signals, enabling downstream policy evaluation and scoring. - **KEV Signal Attacher**: `src/Feedser/StellaOps.Feedser.Core/Signals/KevSignalAttacher.cs` (implements `ISignalAttacher`) -- attaches CISA Known Exploited Vulnerabilities (KEV) status signals to findings. - **Signal Attacher Interface**: `src/Feedser/StellaOps.Feedser.Core/Signals/ISignalAttacher.cs` -- contract for signal attachment implementations. - **Signal DI Extensions**: `src/Feedser/StellaOps.Feedser.Core/Signals/SignalAttacherServiceExtensions.cs` -- registers `EpssSignalAttacher` and `KevSignalAttacher` in the DI container. - **Function Signature Extractor**: `src/Feedser/StellaOps.Feedser.Core/FunctionSignatureExtractor.cs` -- extracts function signatures from patch data for vulnerability correlation. - **Hunk Signature Extractor**: `src/Feedser/StellaOps.Feedser.Core/HunkSigExtractor.cs` -- extracts patch hunk signatures for binary-level vulnerability matching. - **Patch Signature Model**: `src/Feedser/StellaOps.Feedser.Core/Models/PatchSignature.cs` -- model for extracted patch signatures. - **Binary Fingerprinting**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/BinaryFingerprintFactory.cs` -- factory for creating binary fingerprints using multiple strategies. - **Fingerprinters**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/Fingerprinters/InstructionHashFingerprinter.cs` (instruction-level hashing), `SimplifiedTlshFingerprinter.cs` (TLSH fuzzy hashing). - **Binary Fingerprint Model**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/Models/BinaryFingerprint.cs` -- model for binary fingerprint data. - **Tests**: `src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/Signals/EpssSignalAttacherTests.cs`, `src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/FunctionSignatureExtractorTests.cs`, `HunkSigExtractorTests.cs`; `src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/BinaryFingerprintTests.cs` ## E2E Test Plan - [x] Attach an EPSS signal to a finding via `EpssSignalAttacher` and verify the EPSS probability score is available in the finding's signal set - [x] Attach a KEV signal and verify the finding is marked as a known exploited vulnerability - [x] Verify signal change detection: attach an EPSS signal, update the EPSS score, and confirm only the changed signal triggers a re-evaluation event - [x] Extract function signatures from a patch file and verify they match expected signatures for the patched functions - [x] Generate a binary fingerprint using `InstructionHashFingerprinter` and verify it produces a deterministic hash for the same binary input - [x] Generate a TLSH fingerprint via `SimplifiedTlshFingerprinter` and verify it produces a similarity-preserving hash that detects near-duplicate binaries ## Verification - **Verified**: 2026-02-11 - **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d integration replay - **Build/Test**: PASS - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo` - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo` - **Tests**: 102/102 passing - **Tier 0 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier0-source-check.json` - **Tier 1 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier1-build-check.json` - **Tier 2 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier2-integration-check.json` ## Recheck (Run-002) - **Rechecked**: 2026-02-11 - **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line harness replay - **Build/Test**: PASS - `dotnet build src/Feedser/StellaOps.Feedser.Core/StellaOps.Feedser.Core.csproj -c Release --nologo` - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo` - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo` - **Tests**: 107/107 passing (includes new `KevSignalAttacher` coverage) - **Tier 2 Behavior**: - Positive path: EPSS/KEV lookups return available signals for known CVEs. - Negative path: EPSS returns `NotFound` and KEV returns `IsInKev=false` for unknown CVEs. - Determinism path: repeated hunk/fingerprint extraction yields identical hashes and fingerprint values. - **Tier 0 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier0-source-check.json` - **Tier 1 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier1-build-check.json` - **Tier 2 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier2-integration-check.json`