stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
7be4e855d69f59ea7837af96fef37fdac63a41fe
git.stella-ops.org/docs/features/checked/concelier/concelier-vendor-risk-signal-provider.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

2.3 KiB
Raw Blame History

Concelier Vendor Risk Signal Provider

Module

Concelier

Status

VERIFIED

Description

Extracts vendor-specific risk signals from advisory data, emits fix availability events, and tracks advisory field changes for risk scoring. Not in the known list.

Implementation Details

  • Modules: src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/
  • Key Classes:
    • VendorRiskSignalExtractor (src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/VendorRiskSignalExtractor.cs) - extracts vendor-specific risk signals (CVSS, exploit maturity, fix availability) from advisory data
    • PolicyStudioSignalPicker (src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/PolicyStudioSignalPicker.cs) - filters and selects signals for policy evaluation
  • Interfaces: IPolicyStudioSignalPicker
  • Source: Sprint 0115 (batch_14/file_16.md)

E2E Test Plan

  • Provide a vendor advisory with CVSS and fix availability and verify VendorRiskSignalExtractor produces correct risk signals
  • Verify fix availability emission: advisory with a fix emits a fix-available signal event
  • Verify field change tracking: update an advisory field and verify the risk signal reflects the change
  • Verify signal extraction handles missing fields gracefully (no CVSS, no fix info)

Verification

  • Run ID: run-002 (deep verification)
  • Date: 2026-02-13
  • Result: PASS - Deep behavioral verification with 28 NEW unit tests written.
    • Core.Tests 543/545 (2 pre-existing FeedSnapshotPinningService failures, unrelated): VendorRiskSignalExtractorTests (14 tests: CVSS extraction, KEV parsing from NVD/OSV JSON, fix availability from OSV affected[].ranges[].events[{fixed}], provenance anchoring, blank-system filtering, null handling, NormalizedSystem aliases, EffectiveSeverity v2/v3 thresholds, HighestCvssScore). PolicyStudioSignalPickerTests (14 tests: CVSS version priority selection v4>v3.1>v3.0>v2, PreferredCvssVersion, KEV-to-critical severity override, fix version extraction with dedup, provenance chain, options control for IncludeCvss/IncludeKev/IncludeFixAvailability/IncludeProvenance).
    • AdvisoryFieldChangeEmitterTests (1): CVSS change tracking with invariant culture.
  • Previous Run: run-001 (indirect verification via InterestScoreCalculatorTests only)