44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan. - Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark. - Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions. - Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults. - Developed schemas for orchestrator components, including replay manifests and event envelopes. - Added mock API for risk management, including listing and statistics functionalities. - Implemented models for risk profiles and query options to support the new API.
5.4 KiB
5.4 KiB
Unknowns Registry & Scoring Manifest
Compiled: 2025-12-01 (UTC)
Scope: Close UN1–UN10 gaps from docs/product-advisories/31-Nov-2025 FINDINGS.md for Unknowns Registry.
Status: Draft; review 2025-12-04; DSSE signing required before adoption.
Decisions (UN1–UN10)
- Canonical schema/enums (UN1): Unknown types:
vulnerability,asset,signal,evidence-gap,policy-gap. Status enums:new,triaging,under_review,validated,dismissed. Severity:critical/high/medium/low/none. - Deterministic scoring manifest (UN2): Manifest
unknowns_scoring_manifest.jsondefines inputs, weights, and canonical serialization (JCS, sorted keys, UTC timestamps, fixed 3dp). Hash used asscoringManifestHashin API/DSSE. - Decay policy catalog (UN3): Unknowns reuse
confidence_decay_configbut may override τ by type (see table). Overrides stored in manifest; DSSE-signed. - Evidence/provenance capture (UN4): Each unknown must reference Evidence Locker URIs with DSSE envelopes; minimal evidence:
{source, observedAt, evidenceType, hash}. Provenance includes tool identity and policy hash. - SBOM/VEX linkage (UN5): Unknown links:
sbomDigest,vexDecisionId(if present),reachabilityGraphHash. If absent, status forced tounder_review. - SLA / suppression rules (UN6): SLA timers mirror severity; suppression requires dual sign-off and DSSE note with expiry. Suppressed items emit
suppression_reason,expiresAt. - API/CLI contracts (UN7): New endpoints
/unknownssupport filter bystatus,type,confidence_band,uncertainty_score,suppressed. CLI mirrors with--format ndjsonand--include-provenanceflags. Output sorted deterministically bycreatedAt, id. - Observability/reporting (UN8): Metrics:
unknowns_total{type,status},unknowns_suppressed_total,unknowns_without_sbom,unknowns_without_vex,unknowns_confidence_band,unknowns_manifest_hash_mismatch. Alerts on manifest hash mismatch, >1% unknowns missing SBOM/VEX, or suppression expiry. - Offline bundle inclusion (UN9): Include latest manifest, schema, and NDJSON export in offline kit; bundle hashes recorded in kit manifest; verify against DSSE signatures.
- Migration/backfill (UN10): Backfill script
backfill_unknowns_v1seedsscoringManifestHash,sbomDigest, andvexDecisionIdfrom existing records; producesunknowns_backfill_report.ndjsonwith before/after status/bands and checksum.
Schema (draft)
{
"$id": "https://stella-ops.org/schemas/unknown.json",
"type": "object",
"required": ["id", "type", "status", "severity", "createdAt", "confidence", "confidenceBand"],
"properties": {
"id": {"type": "string"},
"type": {"enum": ["vulnerability", "asset", "signal", "evidence-gap", "policy-gap"]},
"status": {"enum": ["new", "triaging", "under_review", "validated", "dismissed"]},
"severity": {"enum": ["critical", "high", "medium", "low", "none"]},
"confidence": {"type": "number"},
"confidenceBand": {"enum": ["critical", "high", "medium", "low", "under_review"]},
"uncertaintyScore": {"type": "number", "minimum": 0, "maximum": 1},
"tauDays": {"type": "integer"},
"sbomDigest": {"type": "string"},
"vexDecisionId": {"type": "string"},
"reachabilityGraphHash": {"type": "string"},
"scoringManifestHash": {"type": "string"},
"suppression": {
"type": "object",
"properties": {
"isSuppressed": {"type": "boolean"},
"reason": {"type": "string"},
"expiresAt": {"type": "string", "format": "date-time"},
"signedBy": {"type": "string"}
}
},
"evidence": {"type": "array", "items": {"$ref": "#/definitions/evidenceRef"}},
"createdAt": {"type": "string", "format": "date-time"},
"updatedAt": {"type": "string", "format": "date-time"}
},
"definitions": {
"evidenceRef": {
"type": "object",
"required": ["uri", "hash", "observedAt", "evidenceType"],
"properties": {
"uri": {"type": "string"},
"hash": {"type": "string"},
"observedAt": {"type": "string", "format": "date-time"},
"evidenceType": {"type": "string"},
"provenance": {"type": "string"}
}
}
}
}
Scoring Manifest (summary)
- Inputs: severity weight, decay factor (τ), uncertainty cap, SLA floor, suppression flag, weighted signals timestamp.
- Formula (deterministic):
confidence = max(floor, min((exp(-Δt/τ) * weight_signal), 1 - uncertainty)), then clamp by SLA floor if SLA active. - Canonicalization: JSON Canonicalization Scheme (JCS); decimals fixed 3dp; UTC ISO-8601 timestamps.
- Hash: SHA256 over canonical manifest; published as
scoringManifestHashand signed via DSSEstella.ops/unknownsScoringManifest@v1.
Offline & Evidence
- Bundle schema, manifest, and latest NDJSON export with
SHA256SUMSand DSSE envelope for each artifact. - Evidence Locker class:
signals-unknowns-manifest(30d retention minimum).
Migration Checklist (UN10)
- Generate
unknowns_scoring_manifest.jsonand sign (DSSE). - Run
backfill_unknowns_v1 --manifest <hash>; produce report and checksums. - Update API/CLI serializers to include new fields and canonical ordering.
- Enable observability dashboards and alerts; verify thresholds.
Review Questions (12-04)
- Confirm suppression expiry default (proposal: 30 days).
- Validate
under_reviewtrigger when SBOM/VEX missing—keep or allow grace period? - Align SLA floors with decay config (Critical 0.60, High 0.50).