stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5593212b414864ab213082c8945a267451b99901
git.stella-ops.org/docs/features/checked/riskengine/cvss-kev-risk-signal-combination.md

3.8 KiB
Raw Blame History

CVSS + KEV Risk Signal Combination

Module

RiskEngine

Status

VERIFIED

Description

Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula: clamp01((cvss/10) + kevBonus) where kevBonus = 0.2 if KEV-listed, 0 otherwise. Uses Math.Round(..., 6, MidpointRounding.ToEven) for determinism.

Implementation Details

  • CVSS+KEV Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs -- implements IRiskScoreProvider. Combines CVSS base scores with CISA KEV catalog data. KEV-listed vulnerabilities receive a +0.2 risk boost. Deterministic rounding.
  • Risk Score Provider Interface: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs -- IRiskScoreProvider interface (Name, ScoreAsync) and IRiskScoreProviderRegistry with in-memory dictionary implementation.
  • CVSS+KEV Sources Interface: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs -- ICvssSource (returns double? CVSS 0-10) and IKevSource (returns bool?). Includes null-object implementations.
  • VEX Gate Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs -- implements IRiskScoreProvider. Short-circuits to 0d when HasDenial >= 1 signal present; otherwise returns max of remaining signals clamped to [0,1].
  • Fix Exposure Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs -- weighted formula: 0.5 * FixAvailability + 0.3 * Criticality + 0.2 * Exposure. Missing signals default to 0.
  • Fix Chain Risk Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs (349 lines) -- implements both IRiskScoreProvider and IFixChainRiskProvider. Computes risk adjustment based on fix verification status and confidence. Configurable via FixChainRiskOptions.
  • Fix Chain Attestation Client: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs (253 lines) -- HTTP-based client with IMemoryCache integration, positive/negative caching, JSON deserialization.
  • Fix Chain Metrics/Display: FixChainRiskMetrics.cs (OpenTelemetry counters/histograms), FixChainRiskDisplay.cs (badge, tooltip, summary).
  • Default Transforms Provider: DefaultTransformsProvider.cs -- signal clamping and averaging with deterministic ordering.
  • Score Request/Result: ScoreRequest.cs, RiskScoreResult.cs -- request/response models.
  • Risk Score Worker/Queue: RiskScoreWorker.cs (background worker), RiskScoreQueue.cs (Channel-based FIFO queue with bounded/unbounded options).

E2E Test Plan

  • Submit a score request for a CVE with CVSS 7.5 listed in KEV and verify combined risk score is higher than CVSS alone
  • Submit same CVSS score without KEV and verify no KEV boost
  • VEX gate: submit KEV-listed CVE with VEX "not_affected" and verify VexGateProvider reduces score
  • Fix chain: submit CVE with verified fix attestation and verify FixChainRiskProvider reduces score
  • Determinism: compute same risk score multiple times and verify bit-for-bit identical results
  • Verify risk score worker processes queued requests and stores results

Verification

  • Verified: 2026-02-10
  • Method: Tier 1 code review + Tier 2d test verification
  • Build: Core and Infrastructure projects build cleanly (0 errors, 0 warnings). Worker/WebService have deprecation notices but compile.
  • Tests: 44+ tests covering this feature across 4 test files (UnitTest1/RiskScoreWorkerTests: 17, RiskEngineApiTests: 4, FixChainRiskProviderTests: 13, FixChainRiskIntegrationTests: 10). All 55/55 module tests pass.