stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unimplemented/riskengine/exploit-maturity-mapping.md

1.6 KiB
Raw Blame History

Exploit Maturity Mapping

Status

PARTIALLY_IMPLEMENTED

Description

No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.

Module

RiskEngine

What's Implemented

  • EPSS provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs (implements IRiskScoreProvider)
  • Combined CVSS+KEV+EPSS: CvssKevEpssProvider in same file
  • Scanner EPSS: src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs
  • EPSS API endpoints: src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs
  • Golden benchmark corpus: src/__Tests/__Benchmarks/golden-corpus/ (includes EPSS/KEV scoring)
  • SBOM vulnerability assessment: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Models/SbomVulnerabilityAssessmentType.cs
  • Policy-level exploit scoring: UnknownRanker uses EpssScore for prioritization
  • Tests: src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EpssProviderTests.cs

What's Missing

  • Dedicated "exploit maturity mapping" service consolidating all maturity signals (EPSS, KEV, in-the-wild reports) into a unified maturity level (e.g., POC/Active/Weaponized)
  • Exploit maturity lifecycle tracking over time
  • Integration of in-the-wild exploitation reports beyond KEV

Implementation Plan

  • Create unified exploit maturity service that combines EPSS, KEV, and in-the-wild signals
  • Define maturity level taxonomy (POC/Active/Weaponized)
  • Expose maturity level in finding detail UI

Source

  • Feature matrix scan