3.8 KiB
3.8 KiB
CVSS + KEV Risk Signal Combination
Module
RiskEngine
Status
IMPLEMENTED
Description
Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula tested via integration tests.
Implementation Details
- CVSS+KEV Provider:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs(implementsIRiskScoreProvider) -- combines CVSS base scores with CISA KEV catalog data; KEV-listed vulnerabilities receive a risk boost reflecting active exploitation. - Risk Score Provider Interface:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs-- contract for risk score computation providers. - CVSS+KEV Sources Interface:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs-- data source contract for CVSS scores and KEV catalog. - VEX Gate Provider:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs-- applies VEX status as a risk gate, reducing or zeroing risk scores for findings with "not_affected" or "fixed" status. - Fix Exposure Provider:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs-- adjusts risk based on fix availability and exposure window. - Fix Chain Risk Provider:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs-- computes risk from fix chain analysis including attestation verification. - Fix Chain Attestation Client:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs(implementsIFixChainAttestationClient) -- fetches fix chain attestation data for risk computation. - Fix Chain Risk Metrics/Display:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskMetrics.cs,FixChainRiskDisplay.cs-- metrics and display models for fix chain risk. - Default Transforms Provider:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/DefaultTransformsProvider.cs-- default risk score transformation rules. - Score Request/Result:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Contracts/ScoreRequest.cs,RiskScoreResult.cs-- request/response models for risk score computation. - Risk Score Worker:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/RiskScoreWorker.cs-- background worker processing risk score computation queue. - Risk Score Queue:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/RiskScoreQueue.cs-- queue for asynchronous risk score computation requests. - Tests:
src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/RiskEngineApiTests.cs,FixChainRiskProviderTests.cs,FixChainRiskIntegrationTests.cs
E2E Test Plan
- Submit a score request for a CVE with a CVSS score of 7.5 that is listed in the KEV catalog and verify the combined risk score is higher than the CVSS score alone
- Submit a score request for the same CVSS score but without KEV listing and verify the risk score equals the CVSS base score (no KEV boost)
- Verify VEX gate: submit a score request for a KEV-listed CVE with VEX status "not_affected" and confirm the
VexGateProviderreduces the risk score - Verify fix chain risk: submit a score request for a CVE with a verified fix attestation and confirm
FixChainRiskProviderreduces the risk score based on fix verification - Verify determinism: compute the same risk score 10 times with identical inputs and confirm all results are bit-for-bit identical
- Verify the risk score worker processes queued requests and stores results in
IRiskScoreResultStore