42 lines
3.0 KiB
Markdown
42 lines
3.0 KiB
Markdown
# Risk Budget Model (Service Tiers + Risk Points)
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity.
|
|
|
|
## Implementation Details
|
|
- **RiskSimulationService**: `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs`
|
|
- Signal-based risk point computation: Boolean (0/1), Numeric (direct), Categorical (mapped weight)
|
|
- Severity mapping: Critical>=90, High>=70, Medium>=40, Low>=10
|
|
- Distribution calculation with 10 buckets, 6 percentiles (p25/p50/p75/p90/p95/p99)
|
|
- Aggregate metrics: total, mean, median, stddev, severity breakdown
|
|
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs`
|
|
- Two-factor risk score: Score = (Uncertainty * 50) + (ExploitPressure * 50)
|
|
- Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
|
|
- Containment reduction capped at 40% (Seccomp 10%, FsRO 10%, Isolated 15%, etc.)
|
|
- Decay buckets for time-based scoring adjustments
|
|
- **UnknownBudgetService** / **UnknownsBudgetEnforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/`
|
|
- Per-service budget constraints with Green/Yellow/Red/Exhausted thresholds
|
|
- Budget enforcement blocks releases when Exhausted
|
|
- **LedgerExportService**: `src/Policy/StellaOps.Policy.Engine/Ledger/LedgerExportService.cs` -- budget ledger persistence
|
|
- **BudgetEndpoints** / **RiskBudgetEndpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/` -- API for budget CRUD and evaluation
|
|
- **Scoring engines**: `src/Policy/StellaOps.Policy.Engine/Scoring/Engines/` -- SimpleScoringEngine, AdvancedScoringEngine, ProofAwareScoringEngine
|
|
- **ScoringProfileService**: `src/Policy/StellaOps.Policy.Engine/Scoring/ScoringProfileService.cs` -- configurable scoring profiles with weighted signals
|
|
|
|
## E2E Test Plan
|
|
- [ ] Compute risk points for finding with Critical severity (CVSS>=9.0, EPSS>=0.90); verify score >= 90
|
|
- [ ] Compute risk points for finding with Low severity (CVSS=3.0); verify score maps to Low range (10-39)
|
|
- [ ] Compute risk points with containment reduction (Seccomp + FsRO); verify 20% reduction applied
|
|
- [ ] Verify score monotonicity: higher CVSS/EPSS always produces higher or equal score
|
|
- [ ] Compute aggregate risk for 10 findings; verify distribution has 10 buckets, valid percentiles
|
|
- [ ] Verify severity breakdown: Critical count + High count + Medium count + Low count = total findings
|
|
- [ ] Create budget with tier-based limits; consume RP; verify threshold transitions (Green -> Yellow -> Red -> Exhausted)
|
|
- [ ] Verify budget capacity replenishment: resolve 5 findings; verify remaining capacity increases
|
|
- [ ] Verify ProofAwareScoringEngine includes proof references in scored output
|
|
- [ ] Verify scoring profile weights CVSS, EPSS, reachability contributions correctly
|