stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/riskengine/cvss-kev-risk-signal-combination.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

125 lines
9.3 KiB
Markdown
Raw Blame History

# CVSS + KEV Risk Signal Combination
## Module
RiskEngine
## Status
VERIFIED
## Description
Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula: `clamp01((cvss/10) + kevBonus)` where `kevBonus = 0.2` if KEV-listed, `0` otherwise. Uses `Math.Round(..., 6, MidpointRounding.ToEven)` for determinism.
## Implementation Details
- **CVSS+KEV Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs` -- implements `IRiskScoreProvider`. Combines CVSS base scores with CISA KEV catalog data. KEV-listed vulnerabilities receive a +0.2 risk boost. Deterministic rounding.
- **Risk Score Provider Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs` -- `IRiskScoreProvider` interface (`Name`, `ScoreAsync`) and `IRiskScoreProviderRegistry` with in-memory dictionary implementation.
- **CVSS+KEV Sources Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs` -- `ICvssSource` (returns `double?` CVSS 0-10) and `IKevSource` (returns `bool?`). Includes null-object implementations.
- **VEX Gate Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs` -- implements `IRiskScoreProvider`. Short-circuits to `0d` when `HasDenial >= 1` signal present; otherwise returns max of remaining signals clamped to [0,1].
- **Fix Exposure Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs` -- weighted formula: `0.5 * FixAvailability + 0.3 * Criticality + 0.2 * Exposure`. Missing signals default to 0.
- **Fix Chain Risk Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs` (349 lines) -- implements both `IRiskScoreProvider` and `IFixChainRiskProvider`. Computes risk adjustment based on fix verification status and confidence. Configurable via `FixChainRiskOptions`.
- **Fix Chain Attestation Client**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs` (253 lines) -- HTTP-based client with `IMemoryCache` integration, positive/negative caching, JSON deserialization.
- **Fix Chain Metrics/Display**: `FixChainRiskMetrics.cs` (OpenTelemetry counters/histograms), `FixChainRiskDisplay.cs` (badge, tooltip, summary).
- **Default Transforms Provider**: `DefaultTransformsProvider.cs` -- signal clamping and averaging with deterministic ordering.
- **Score Request/Result**: `ScoreRequest.cs`, `RiskScoreResult.cs` -- request/response models.
- **Risk Score Worker/Queue**: `RiskScoreWorker.cs` (background worker), `RiskScoreQueue.cs` (Channel-based FIFO queue with bounded/unbounded options).
## E2E Test Plan
- [x] Submit a score request for a CVE with CVSS 7.5 listed in KEV and verify combined risk score is higher than CVSS alone
- [x] Submit same CVSS score without KEV and verify no KEV boost
- [x] VEX gate: submit KEV-listed CVE with VEX "not_affected" and verify VexGateProvider reduces score
- [x] Fix chain: submit CVE with verified fix attestation and verify FixChainRiskProvider reduces score
- [x] Determinism: compute same risk score multiple times and verify bit-for-bit identical results
- [x] Verify risk score worker processes queued requests and stores results
## Verification
- **Verified**: 2026-02-10
- **Method**: Tier 2a live API replay + Tier 2d regression verification
- **Build**: Core and Infrastructure projects build cleanly (0 errors, 0 warnings). Worker/WebService have deprecation notices but compile.
- **Tests**: RiskEngine suite re-run in Release with 94/94 passing, including added API/provider regression coverage (`Simulations_CvssKev_UsesInlineSignals`, provider-list exposure check, and inline-signal provider unit tests).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-002/tier2-api-check.json`
## Recheck (Run-003)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay via in-process WebApplicationFactory + full suite replay.
- **Tests**: PASS (`src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests`: 94/94).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-003/tier2-api-check.json`
- **Outcome**: CVSS+KEV provider exposure and inline-signal simulation behavior remain stable after subsequent module edits.
## Recheck (Run-004)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay via in-process WebApplicationFactory + full suite replay.
- **Tests**: PASS (`src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests`: 94/94).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-004/tier2-api-check.json`
- **Outcome**: CVSS+KEV provider exposure and inline-signal simulation behavior remain stable.
## Recheck (Run-005)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay validated via RiskEngine integration suite.
- **Tests**: PASS (`src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests`: 94/94).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-005/tier2-api-check.json`
- **Outcome**: CVSS/KEV risk signal combination behavior remains healthy.
## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-006/tier2-api-check.json
- **Outcome**: Checked RiskEngine behavior remains healthy in continued replay.
## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-007/tier2-api-check.json
- **Outcome**: Checked RiskEngine behavior remains healthy in continued replay.
## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-008/tier2-api-check.json
- **Outcome**: Checked RiskEngine behavior remains healthy in continued replay.
## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-009/tier2-api-check.json
- **Outcome**: Checked RiskEngine behavior remains healthy in continued replay.
## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-010/tier2-integration-check.json
- **Outcome**: Checked risk engine behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-011/tier2-integration-check.json
- **Outcome**: Checked risk engine behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-012/tier2-api-check.json
- **Outcome**: Checked risk engine behavior remains healthy in continued replay.
## Recheck (Run-013)
- **Verified**: 2026-02-10
- **Method**: Tier 2a live HTTPS API verification with fresh request/response capture.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-013/tier2-api-check.json
- **Captured Requests**: `/risk-scores/providers`; `/risk-scores/simulations` for KEV bonus (0.95), no-KEV baseline (0.75), and unknown provider error semantics.
- **Outcome**: CVSS+KEV checked behavior revalidated from live API transactions.
## Recheck (Run-014)
- **Verified**: 2026-02-11
- **Method**: Tier 2a live HTTPS API verification with fresh request/response capture.
- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-014/tier2-api-check.json
- **Captured Requests**: `/risk-scores/providers`; `/risk-scores/simulations` for KEV bonus (0.95), no-KEV baseline (0.75), and unknown provider error semantics.
- **Outcome**: CVSS+KEV checked behavior remains stable with fresh live API replay.
Reference in New Issue View Git Blame Copy Permalink