stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/policy/cve-aware-release-policy-gates.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

4.3 KiB
Raw Permalink Blame History

CVE-Aware Release Policy Gates (EPSS/KEV/Reachable/Delta/Aggregate)

Module

Policy

Status

VERIFIED

Description

Five specialized CVE-aware policy gates (EpssThresholdGate, KevBlockerGate, ReachableCveGate, CveDeltaGate, ReleaseAggregateCveGate) that use real-time EPSS scores, KEV catalog membership, reachability status, and cross-release delta to make gate decisions. Distinct from existing generic "CVSS Threshold Gate" or "EPSS Threshold Policy Gate" because these are an integrated multi-gate system with OPA/Rego support.

Implementation Details

  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs -- orchestrates multi-gate evaluation
    • Evaluates gates in sequence: Evidence -> Lattice State -> VEX Trust -> Uncertainty Tier -> Confidence
    • Short-circuits on first Block; accumulates warnings from non-blocking gates
    • Override support with justification requirement
  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs -- VEX trust-based gate with per-environment thresholds
    • VexTrustGateOptions: per-environment VexTrustThresholds with MinCompositeScore and RequireIssuerVerified
    • MissingTrustBehavior: Block, Warn, or Allow when trust data absent
    • Trust tiers: VeryHigh >= 0.9, High >= 0.7, Medium >= 0.5, Low >= 0.3, VeryLow < 0.3
  • DriftGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs -- drift-based gate for cross-release delta
    • DriftGateOptions: configurable via DriftGateContext
  • StabilityDampingGate: src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs -- stability damping for flapping prevention
    • StabilityDampingOptions: configurable damping parameters
  • PolicyGateDecision Model: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs
    • Decision types: Allow, Warn, Block
    • Contains: GateId, Subject (VulnId/Purl/SymbolId/ScanId), Evidence (LatticeState/UncertaintyTier/GraphHash/RiskScore/Confidence), Gates array, Advisory, BlockedBy, BlockReason, Suggestion
  • Reachability Lattice States: U (Unknown), SR (StaticallyReachable), SU (StaticallyUnreachable), RO (RuntimeObserved), RU (RuntimeUnobserved), CR (ConfirmedReachable), CU (ConfirmedUnreachable), X (Contested)
  • Uncertainty Tiers: T1 (High), T2 (Medium), T3 (Low), T4 (Negligible)
  • UnknownRanker Integration: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs -- exploit pressure factors (KEV +0.50, EPSS >= 0.90 +0.30, EPSS >= 0.50 +0.15, CVSS >= 9.0 +0.05)
  • Scoring Integration: src/Policy/StellaOps.Policy.Engine/Scoring/ -- profile-aware scoring with EPSS/CVSS/KEV inputs
  • Gate Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/PolicyDecisionEndpoint.cs -- REST API for gate evaluation

E2E Test Plan

  • Evaluate gate for not_affected with CU lattice state and T4 uncertainty; verify Allow decision
  • Evaluate gate for not_affected with CR lattice state; verify Block with suggestion to submit unreachability evidence
  • Evaluate gate for not_affected with missing graphHash; verify Block by EvidenceCompleteness gate
  • Evaluate gate with VEX trust score below production threshold; verify Block by VexTrust gate
  • Evaluate gate with VEX trust score above threshold but signature unverified; verify Block when RequireIssuerVerified=true
  • Evaluate gate with T1 uncertainty for not_affected and BlockT1ForNotAffected=true; verify Block by UncertaintyTier gate
  • Evaluate gate with KEV finding using UnknownRanker; verify exploit pressure includes +0.50 KEV factor
  • Evaluate gate with EPSS=0.95; verify exploit pressure includes +0.30 EPSS factor
  • Evaluate gate with override and valid justification; verify Block overridden to Warn with advisory
  • Evaluate gate with Contested (X) lattice state for not_affected; verify Block with suggestion to resolve through triage

Verification

  • Run ID: run-002
  • Date: 2026-02-12
  • Tests: 52 targeted gate tests passed (26 PolicyGateEvaluatorTests + 26 CveAwareReleasePolicyGatesDeepTests)
  • Bugs Fixed: 2 test compilation errors in CveAwareReleasePolicyGatesDeepTests.cs (FluentAssertions .Or syntax, read-only property assignment)
  • Evidence: docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/