51 lines
3.6 KiB
Markdown
51 lines
3.6 KiB
Markdown
# CVSS v4.0 Environmental Metrics Completion
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Completes CVSS v4.0 scoring with all Modified Attack/Impact environmental metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA). Extends the existing MacroVector scoring engine with environment-specific risk adjustments. Includes receipt-based deterministic scoring and REST endpoints.
|
|
|
|
## Implementation Details
|
|
- **CvssV4Engine**: `src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs` -- `CvssV4Engine` (sealed partial class implements `ICvssV4Engine`)
|
|
- Sprint: SPRINT_1227_0013_0002_LB_cvss_v4_environmental
|
|
- `ComputeScores(baseMetrics, threatMetrics?, environmentalMetrics?)` computes all score variants:
|
|
- CVSS-B (base score only)
|
|
- CVSS-BT (base + threat, when ExploitMaturity != NotDefined)
|
|
- CVSS-BE (base + environmental, when modified metrics present)
|
|
- CVSS-BTE (full: base + threat + environmental)
|
|
- `DetermineEffectiveScore` selects the most specific score type available
|
|
- MacroVector-based scoring per FIRST CVSS v4.0 specification
|
|
- **CvssEnvironmentalMetrics**: Modified metrics covering all attack/impact dimensions:
|
|
- Modified Attack metrics: MAV (Attack Vector), MAC (Attack Complexity), MAT (Attack Requirements), MPR (Privileges Required), MUI (User Interaction)
|
|
- Modified Impact metrics: MVC (Confidentiality), MVI (Integrity), MVA (Availability), MSC (Subsequent Confidentiality), MSI (Subsequent Integrity), MSA (Subsequent Availability)
|
|
- All values default to NotDefined (inherit base metric values)
|
|
- **MacroVectorLookup**: `src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs` -- lookup table for macro vector scoring
|
|
- **CvssScores Model**: BaseScore, ThreatScore, EnvironmentalScore, FullScore, EffectiveScore, EffectiveScoreType
|
|
- **CvssScoreReceipt**: `src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs` -- deterministic receipt with input hashes and policy references
|
|
- **Receipts**: `src/Policy/StellaOps.Policy.Scoring/Receipts/` -- receipt persistence and generation
|
|
- **CVSS Receipt Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/CvssReceiptEndpoints.cs` -- REST API for scoring with receipts
|
|
- **CvssMetrics**: `src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs` -- metric definitions with CVSS v4.0 enums
|
|
- **CvssPolicy**: `src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs` -- policy-driven scoring thresholds
|
|
|
|
## E2E Test Plan
|
|
- [x] Score a CVSS v4.0 vector with base metrics only; verify CVSS-B score matches FIRST specification
|
|
- [x] Score with environmental metrics (MAV=Network modified to MAV=Local); verify CVSS-BE score is lower than CVSS-B
|
|
- [x] Score with both threat (ExploitMaturity=Attacked) and environmental metrics; verify CVSS-BTE full score computed
|
|
- [x] Score with threat metrics only (no environmental); verify CVSS-BT computed and CVSS-BE is null
|
|
- [x] POST to CVSS receipt endpoint; verify receipt contains input hash, scoring policy reference, and deterministic score
|
|
- [x] Score same vector twice; verify identical scores and matching receipt hashes
|
|
- [x] Score with all Modified metrics set to NotDefined; verify environmental score equals base score
|
|
- [x] Score with MSI=Safety; verify maximum environmental impact applied
|
|
- [x] Verify effective score type selection: CVSS-BTE preferred when all metrics present
|
|
- [x] Verify CvssEngineFactory returns CvssV4Engine for v4.0 vectors
|
|
|
|
## Verification
|
|
- **Run ID**: run-002
|
|
- **Date**: 2026-02-12
|
|
- **Tests**: 263 tests passed (0 failed) in StellaOps.Policy.Scoring.Tests including 19 deep environmental verification tests
|
|
- **Evidence**: `docs/qa/feature-checks/runs/policy/cvss-v4-0-environmental-metrics-completion/run-002/`
|