3.0 KiB
3.0 KiB
Risk Budget Model (Service Tiers + Risk Points)
Module
Policy
Status
IMPLEMENTED
Description
Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity.
Implementation Details
- RiskSimulationService:
src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs- Signal-based risk point computation: Boolean (0/1), Numeric (direct), Categorical (mapped weight)
- Severity mapping: Critical>=90, High>=70, Medium>=40, Low>=10
- Distribution calculation with 10 buckets, 6 percentiles (p25/p50/p75/p90/p95/p99)
- Aggregate metrics: total, mean, median, stddev, severity breakdown
- UnknownRanker:
src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs- Two-factor risk score: Score = (Uncertainty * 50) + (ExploitPressure * 50)
- Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
- Containment reduction capped at 40% (Seccomp 10%, FsRO 10%, Isolated 15%, etc.)
- Decay buckets for time-based scoring adjustments
- UnknownBudgetService / UnknownsBudgetEnforcer:
src/Policy/__Libraries/StellaOps.Policy.Unknowns/- Per-service budget constraints with Green/Yellow/Red/Exhausted thresholds
- Budget enforcement blocks releases when Exhausted
- LedgerExportService:
src/Policy/StellaOps.Policy.Engine/Ledger/LedgerExportService.cs-- budget ledger persistence - BudgetEndpoints / RiskBudgetEndpoints:
src/Policy/StellaOps.Policy.Engine/Endpoints/-- API for budget CRUD and evaluation - Scoring engines:
src/Policy/StellaOps.Policy.Engine/Scoring/Engines/-- SimpleScoringEngine, AdvancedScoringEngine, ProofAwareScoringEngine - ScoringProfileService:
src/Policy/StellaOps.Policy.Engine/Scoring/ScoringProfileService.cs-- configurable scoring profiles with weighted signals
E2E Test Plan
- Compute risk points for finding with Critical severity (CVSS>=9.0, EPSS>=0.90); verify score >= 90
- Compute risk points for finding with Low severity (CVSS=3.0); verify score maps to Low range (10-39)
- Compute risk points with containment reduction (Seccomp + FsRO); verify 20% reduction applied
- Verify score monotonicity: higher CVSS/EPSS always produces higher or equal score
- Compute aggregate risk for 10 findings; verify distribution has 10 buckets, valid percentiles
- Verify severity breakdown: Critical count + High count + Medium count + Low count = total findings
- Create budget with tier-based limits; consume RP; verify threshold transitions (Green -> Yellow -> Red -> Exhausted)
- Verify budget capacity replenishment: resolve 5 findings; verify remaining capacity increases
- Verify ProofAwareScoringEngine includes proof references in scored output
- Verify scoring profile weights CVSS, EPSS, reachability contributions correctly