stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
310e9f84fe09fa2fc71e2f91b6153cc904cd2df4
git.stella-ops.org/docs/features/checked/scanner/epss-change-events-for-reanalysis-triggers.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

EPSS Change Events for Reanalysis Triggers

Module

Scanner

Status

VERIFIED

Description

Deterministic EPSS change events with per-CVE deltas, priority bands, idempotent event IDs, and scan manifests extended with tool versions and evidence digests for policy fingerprinting.

Implementation Details

  • EPSS Change Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeDetector.cs - Detects EPSS score changes per CVE
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeRecord.cs - Change record model with deltas
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssChangeEvent.cs - Deterministic change event with idempotent event ID
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs - Updated event for signal dispatch
  • EPSS Provider & Caching:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/IEpssProvider.cs - Interface for EPSS data access
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs - PostgreSQL-backed EPSS provider
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs - Cached EPSS provider
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssPriorityBand.cs - Priority band classification
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssEvidence.cs - EPSS evidence model
  • Signal Publishing:
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs - Signal publisher interface
  • Worker Jobs:
    • src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs - EPSS enrichment job
    • src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs - EPSS data ingestion job
    • src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs - EPSS signal dispatch job
    • src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentStageExecutor.cs - Stage executor for scan pipeline
  • API: src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs - EpssEndpoints with batch lookup, history, and status

E2E Test Plan

  • Ingest EPSS data and verify change detection identifies CVEs with score deltas
  • Verify idempotent event IDs are deterministic for the same CVE/delta combination
  • Verify priority band classification (critical, high, medium, low) based on EPSS score thresholds
  • Verify EPSS change events trigger scan reanalysis for affected artifacts
  • Call POST /api/v1/epss/batch with CVE IDs and verify EPSS scores are returned
  • Call GET /api/v1/epss/{cveId}/history and verify EPSS score history with change events

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z