stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
2170a58734104fa86d3aa906cbfaf583d30104c8
git.stella-ops.org/docs/policy/scoring-profiles.md
master 2170a58734
Some checks failed
Lighthouse CI / Lighthouse Audit (push) Waiting to run
Details
Lighthouse CI / Axe Accessibility Audit (push) Waiting to run
Details
Manifest Integrity / Validate Schema Integrity (push) Waiting to run
Details
Manifest Integrity / Validate Contract Documents (push) Waiting to run
Details
Manifest Integrity / Validate Pack Fixtures (push) Waiting to run
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Waiting to run
Details
Manifest Integrity / Verify Merkle Roots (push) Waiting to run
Details
Policy Lint & Smoke / policy-lint (push) Waiting to run
Details
Policy Simulation / policy-simulate (push) Waiting to run
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
2025-12-16 16:40:44 +02:00

5.6 KiB
Raw Blame History

Scoring Profiles

Sprint: SPRINT_3407_0001_0001
Task: PROF-3407-014
Last Updated: 2025-12-16

Overview

StellaOps supports multiple scoring profiles to accommodate different customer needs, from simple transparent scoring to advanced entropy-based analysis. Scoring profiles determine how vulnerability findings are evaluated and scored.

Available Profiles

Simple Profile

The Simple profile uses a transparent 4-factor basis-points weighted formula:

riskScore = (wB × B + wR × R + wE × E + wP × P) / 10000

Where:

  • B (Base Severity): CVSS score × 10 (0-100 range)
  • R (Reachability): Hop-based score with gate multipliers
  • E (Evidence): Evidence points × freshness multiplier
  • P (Provenance): Level-based score (unsigned to reproducible)
  • wB, wR, wE, wP: Weight basis points (must sum to 10000)

Default weights:

Factor Weight (bps) Percentage
Base Severity 1000 10%
Reachability 4500 45%
Evidence 3000 30%
Provenance 1500 15%

Use cases:

  • Organizations requiring audit-friendly, explainable scoring
  • Compliance scenarios requiring transparent formulas
  • Initial deployments before advanced analysis is available

Advanced Profile (Default)

The Advanced profile extends Simple with:

  • CVSS version adjustment: Scores weighted by CVSS version (4.0 > 3.1 > 3.0 > 2.0)
  • KEV boost: +20 points for Known Exploited Vulnerabilities
  • Uncertainty penalty: Deductions for missing data (reachability, evidence, provenance, CVSS version)
  • Semantic category multipliers: Entry points and API endpoints scored higher than internal services
  • Multi-evidence overlap bonus: 10% bonus per additional evidence type
  • Advanced score passthrough: Uses pre-computed advanced scores when available

Use cases:

  • Production deployments with full telemetry
  • Organizations with mature security programs
  • Scenarios requiring nuanced risk differentiation

Custom Profile (Enterprise)

The Custom profile allows fully user-defined scoring via Rego policies. Requires:

  • Valid Rego policy path
  • Policy Engine license with Custom Scoring feature

Configuration

Score Policy YAML

Add the scoringProfile field to your score policy:

policyVersion: score.v1
scoringProfile: simple  # Options: simple, advanced, custom

weightsBps:
  baseSeverity: 1000
  reachability: 4500
  evidence: 3000
  provenance: 1500

# ... rest of policy configuration

Tenant Override

Tenants can override the default profile via the Scoring Profile Service:

// Set profile for a tenant
scoringProfileService.SetProfileForTenant("tenant-id", new ScoringProfileConfig
{
    Profile = ScoringProfile.Simple
});

// Remove override (revert to default)
scoringProfileService.RemoveProfileForTenant("tenant-id");

API Integration

Scoring with Default Profile

var result = await profileAwareScoringService.ScoreAsync(input);
// Uses tenant's configured profile

Scoring with Explicit Profile

var result = await profileAwareScoringService.ScoreWithProfileAsync(
    input,
    ScoringProfile.Simple);

Profile Comparison

var comparison = await profileAwareScoringService.CompareProfilesAsync(input);
// Returns scores from all profiles for analysis

Audit Trail

All scoring results include profile identification:

{
  "finding_id": "CVE-2024-12345-pkg-1.0.0",
  "scoring_profile": "simple",
  "profile_version": "simple-v1",
  "raw_score": 65,
  "final_score": 65,
  "severity": "medium",
  "signal_values": {
    "baseSeverity": 75,
    "reachability": 70,
    "evidence": 45,
    "provenance": 60
  },
  "signal_contributions": {
    "baseSeverity": 7.5,
    "reachability": 31.5,
    "evidence": 13.5,
    "provenance": 9.0
  },
  "explain": [
    { "factor": "baseSeverity", "value": 75, "reason": "CVSS 7.5 (v3.1) with version adjustment" },
    { "factor": "evidence", "value": 45, "reason": "45 evidence points, 14 days old (90% freshness)" },
    { "factor": "provenance", "value": 60, "reason": "Provenance level: SignedWithSbom" },
    { "factor": "reachability", "value": 70, "reason": "2 hops from call graph" }
  ]
}

Migration Guide

From Legacy Scoring

  1. Audit current scores: Export current scores for baseline comparison
  2. Enable Simple profile: Start with Simple for predictable behavior
  3. Compare profiles: Use CompareProfilesAsync to understand differences
  4. Gradual rollout: Move to Advanced when confidence is established

Profile Switching Best Practices

  • Test in staging first: Validate score distribution before production
  • Monitor severity distribution: Watch for unexpected shifts
  • Document changes: Record profile changes in policy lifecycle
  • Use replay: Re-score historical findings to validate behavior

Determinism

Both Simple and Advanced profiles are fully deterministic:

  • Explicit time: All calculations use AsOf timestamp
  • Integer math: Basis-point arithmetic avoids floating-point drift
  • Stable ordering: Explanations sorted alphabetically by factor
  • Input digests: Track input hashes for replay validation

Performance

Profile Typical Latency Memory
Simple < 1ms Minimal
Advanced < 5ms Minimal
Custom Varies Depends on Rego complexity

Related Documentation