34 lines
3.0 KiB
Markdown
34 lines
3.0 KiB
Markdown
# Exploit Maturity Mapping
|
|
|
|
## Module
|
|
RiskEngine
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Dedicated exploit maturity mapping service consolidating EPSS, KEV, and in-the-wild signals into a unified maturity level taxonomy (Unknown, Theoretical, ProofOfConcept, Active, Weaponized). Previously described as partially implemented, the service has since been fully built.
|
|
|
|
## Implementation Details
|
|
- **Exploit Maturity Service**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ExploitMaturityService.cs` (227 lines) -- implements `IExploitMaturityService`. Consolidates: EPSS signals (>=0.80 = Weaponized, >=0.40 = Active, >=0.10 = ProofOfConcept, >=0.01 = Theoretical), KEV signals (KEV-listed = Weaponized with 0.95 confidence), in-the-wild signals (via `IInTheWildSource`). Max-level aggregation with weighted confidence averaging. Parallel signal fetching via `Task.WhenAll`. OpenTelemetry metrics. Deterministic with injected `TimeProvider`.
|
|
- **Exploit Maturity Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IExploitMaturityService.cs` -- `AssessMaturityAsync`, `GetMaturityLevelAsync`, `GetMaturityHistoryAsync` methods.
|
|
- **Exploit Maturity Models**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Contracts/ExploitMaturityModels.cs` (89 lines) -- `ExploitMaturityLevel` enum (Unknown, Theoretical, ProofOfConcept, Active, Weaponized), `MaturityEvidenceSource` enum (Epss, Kev, InTheWild, ExploitDb, ScannerTemplate, Override), `MaturitySignal` record, `ExploitMaturityResult` record, `MaturityHistoryEntry` record.
|
|
- **Exploit Maturity Endpoints**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Endpoints/ExploitMaturityEndpoints.cs` (134 lines) -- Minimal API: GET /exploit-maturity/{cveId} (full assessment), GET /exploit-maturity/{cveId}/level (just level), GET /exploit-maturity/{cveId}/history (maturity history), POST /exploit-maturity/batch (batch with deduplication).
|
|
|
|
## E2E Test Plan
|
|
- [x] Verify no signals returns Unknown level
|
|
- [x] Verify EPSS-only mapping at various thresholds (Theoretical, ProofOfConcept, Active, Weaponized)
|
|
- [x] Verify KEV-only returns Weaponized with 0.95 confidence
|
|
- [x] Verify in-the-wild-only returns Active
|
|
- [x] Verify max-level aggregation when multiple signals present
|
|
- [x] Verify confidence averaging with all signals
|
|
- [x] Verify API endpoints (full assessment, level-only, history, batch)
|
|
- [x] Verify determinism: same inputs produce same outputs
|
|
|
|
## Verification
|
|
- **Verified**: 2026-02-10
|
|
- **Method**: Tier 1 code review + Tier 2d test verification
|
|
- **Build**: Passes (0 errors, 0 warnings for Core)
|
|
- **Tests**: 23 tests across 2 test files (ExploitMaturityServiceTests: 14, ExploitMaturityApiTests: 9). All 55/55 module tests pass.
|
|
- **Note**: `GetMaturityHistoryAsync` returns empty (requires persistence layer). Interface and model for lifecycle tracking exist but persistence is not yet implemented. The core maturity assessment service is fully functional.
|