stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
05da719048687f0d9e2f7e0677e98463dd7985d3
git.stella-ops.org/docs/sbom/remediation-heuristics.md
StellaOps Bot 6bee1fdcf5
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
work
2025-11-25 08:01:23 +02:00

44 lines
2.8 KiB
Markdown
Raw Blame History

# Remediation Heuristics for Advisory AI (DOCS-AIAI-31-008)
_Updated: 2025-11-24 · Owners: Docs Guild · SBOM Service Guild · Sprint 0111_
This note defines the deterministic remediation heuristics Advisory AI applies when SBOM context is present. It aligns with `SBOM-AIAI-31-001` (path/timeline endpoints) and the CLI fixtures shipped in `CLI-VULN-29-001`.
## Inputs
- SBOM context document (schema `stellaops.sbom.context/1.0`), e.g. `out/console/guardrails/cli-vuln-29-001/sample-sbom-context.json` (SHA256 `421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18`).
- Version timelines from `/sbom/versions?artifactId=...` (clamped to 500 entries by default).
- Dependency paths from `/sbom/paths?artifactId=...` (clamped to 200 paths by default).
- Advisory/VEX evidence from Link-Not-Merge (`advisory_observations`, `advisory_linksets`).
## Heuristics (deterministic)
1) **Blast radius score** per package
- `score = (directPaths * 2) + transitivePaths + exposedRuntimeHint`
- `exposedRuntimeHint = 3` when the runtime signal `exposure=external` is present, else `0`.
- Scores are capped at `20` to keep ordering stable.
2) **Fix candidate ranking**
- Prefer vendor fixed versions present in timeline; fall back to highest patch version above current.
- Reject candidates that would **increase** blast radius by adding new transitive edges (>10% increase).
- If no fix exists, emit `advisory.remediation.noFixAvailable` and cite the timeline.
3) **Configuration-only mitigations**
- When VEX status is `not_affected` **and** blast radius score < 5, recommend configuration hardening (feature flags, admission policy) instead of upgrades.
4) **Refusal conditions**
- Missing SBOM context return deterministic remediation with `sbomSummary` counts set to 0 and note `contextUnavailable` in metadata.
- Timeline gaps (non-monotonic dates or hashes) `409 advisory.contextHashMismatch` with the offending hash list.
## Example (offline fixture)
Using `sample-sbom-context.json`:
| Package | Paths | Blast radius | Suggested action |
| --- | --- | --- | --- |
| openssl@1.1.1w | 2 direct, 4 transitive | `(2*2)+4 = 8` | Upgrade to vendor fixed `1.1.1x` (from timeline); verify after replacement. |
| zlib@1.2.11 | 1 direct, 2 transitive | `(1*2)+2 = 4` | Apply VEX `not_affected` justification if available; otherwise patch to `1.2.12`. |
## Operator checklist
- Export SBOM context and hashes into Offline Kit (`offline-kit/advisory-ai/fixtures/sbom-context/`).
- Verify clamps: `timelineClamp=500`, `dependencyPathClamp=200` unless explicitly overridden in `AdvisoryAI:Tasks:Remediation`.
- Record blast-radius scores in audit logs when remediation is generated (helps replay).
- Keep fixtures in sync with CLI guardrail artefact hashes and note any override in sprint Execution Log.
Reference in New Issue View Git Blame Copy Permalink