stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/feedser/epss-signal-ready-layer.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

5.2 KiB
Raw Blame History

EPSS Signal-Ready Layer (Tenant-Scoped Actionable Events)

Module

Feedser

Status

VERIFIED

Description

EPSS signal emission pipeline with change detection, signal flow integration, and signal attaching to risk evaluations. EPSS evidence feeds into the policy determinization scoring system.

Implementation Details

  • EPSS Signal Attacher: src/Feedser/StellaOps.Feedser.Core/Signals/EpssSignalAttacher.cs (implements ISignalAttacher) -- attaches EPSS probability scores to findings as risk signals, enabling downstream policy evaluation and scoring.
  • KEV Signal Attacher: src/Feedser/StellaOps.Feedser.Core/Signals/KevSignalAttacher.cs (implements ISignalAttacher) -- attaches CISA Known Exploited Vulnerabilities (KEV) status signals to findings.
  • Signal Attacher Interface: src/Feedser/StellaOps.Feedser.Core/Signals/ISignalAttacher.cs -- contract for signal attachment implementations.
  • Signal DI Extensions: src/Feedser/StellaOps.Feedser.Core/Signals/SignalAttacherServiceExtensions.cs -- registers EpssSignalAttacher and KevSignalAttacher in the DI container.
  • Function Signature Extractor: src/Feedser/StellaOps.Feedser.Core/FunctionSignatureExtractor.cs -- extracts function signatures from patch data for vulnerability correlation.
  • Hunk Signature Extractor: src/Feedser/StellaOps.Feedser.Core/HunkSigExtractor.cs -- extracts patch hunk signatures for binary-level vulnerability matching.
  • Patch Signature Model: src/Feedser/StellaOps.Feedser.Core/Models/PatchSignature.cs -- model for extracted patch signatures.
  • Binary Fingerprinting: src/Feedser/StellaOps.Feedser.BinaryAnalysis/BinaryFingerprintFactory.cs -- factory for creating binary fingerprints using multiple strategies.
  • Fingerprinters: src/Feedser/StellaOps.Feedser.BinaryAnalysis/Fingerprinters/InstructionHashFingerprinter.cs (instruction-level hashing), SimplifiedTlshFingerprinter.cs (TLSH fuzzy hashing).
  • Binary Fingerprint Model: src/Feedser/StellaOps.Feedser.BinaryAnalysis/Models/BinaryFingerprint.cs -- model for binary fingerprint data.
  • Tests: src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/Signals/EpssSignalAttacherTests.cs, src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/FunctionSignatureExtractorTests.cs, HunkSigExtractorTests.cs; src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/BinaryFingerprintTests.cs

E2E Test Plan

  • Attach an EPSS signal to a finding via EpssSignalAttacher and verify the EPSS probability score is available in the finding's signal set
  • Attach a KEV signal and verify the finding is marked as a known exploited vulnerability
  • Verify signal change detection: attach an EPSS signal, update the EPSS score, and confirm only the changed signal triggers a re-evaluation event
  • Extract function signatures from a patch file and verify they match expected signatures for the patched functions
  • Generate a binary fingerprint using InstructionHashFingerprinter and verify it produces a deterministic hash for the same binary input
  • Generate a TLSH fingerprint via SimplifiedTlshFingerprinter and verify it produces a similarity-preserving hash that detects near-duplicate binaries

Verification

  • Verified: 2026-02-11
  • Method: Tier 0 source verification + Tier 1 build/test + Tier 2d integration replay
  • Build/Test: PASS
    • dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo
    • dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo
  • Tests: 102/102 passing
  • Tier 0 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier0-source-check.json
  • Tier 1 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier1-build-check.json
  • Tier 2 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier2-integration-check.json

Recheck (Run-002)

  • Rechecked: 2026-02-11
  • Method: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line harness replay
  • Build/Test: PASS
  • dotnet build src/Feedser/StellaOps.Feedser.Core/StellaOps.Feedser.Core.csproj -c Release --nologo
  • dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo
  • dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo
  • Tests: 107/107 passing (includes new KevSignalAttacher coverage)
  • Tier 2 Behavior:
  • Positive path: EPSS/KEV lookups return available signals for known CVEs.
  • Negative path: EPSS returns NotFound and KEV returns IsInKev=false for unknown CVEs.
  • Determinism path: repeated hunk/fingerprint extraction yields identical hashes and fingerprint values.
  • Tier 0 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier0-source-check.json
  • Tier 1 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier1-build-check.json
  • Tier 2 Evidence: docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier2-integration-check.json