stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unimplemented/riskengine/exploit-maturity-mapping.md

34 lines
1.6 KiB
Markdown
Raw Blame History

# Exploit Maturity Mapping
## Status
PARTIALLY_IMPLEMENTED
## Description
No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.
## Module
RiskEngine
## What's Implemented
- **EPSS provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs` (implements `IRiskScoreProvider`)
- **Combined CVSS+KEV+EPSS**: `CvssKevEpssProvider` in same file
- **Scanner EPSS**: `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs`
- **EPSS API endpoints**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs`
- **Golden benchmark corpus**: `src/__Tests/__Benchmarks/golden-corpus/` (includes EPSS/KEV scoring)
- **SBOM vulnerability assessment**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Models/SbomVulnerabilityAssessmentType.cs`
- **Policy-level exploit scoring**: `UnknownRanker` uses `EpssScore` for prioritization
- **Tests**: `src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EpssProviderTests.cs`
## What's Missing
- Dedicated "exploit maturity mapping" service consolidating all maturity signals (EPSS, KEV, in-the-wild reports) into a unified maturity level (e.g., POC/Active/Weaponized)
- Exploit maturity lifecycle tracking over time
- Integration of in-the-wild exploitation reports beyond KEV
## Implementation Plan
- Create unified exploit maturity service that combines EPSS, KEV, and in-the-wild signals
- Define maturity level taxonomy (POC/Active/Weaponized)
- Expose maturity level in finding detail UI
## Source
- Feature matrix scan
Reference in New Issue View Git Blame Copy Permalink