Explore Help

Register Sign In

stella-ops.org/git.stella-ops.org

1

0

You've already forked git.stella-ops.org

Code Issues Pull Requests Actions 2 Releases Wiki Activity

Files

b565e559423cd02f65329e77f65e38ed9a02c978

git.stella-ops.org/docs/features/checked/policy/unknowns-ranking-algorithm.md

master e9aeadc040 save checkpoint

2026-02-14 09:11:48 +02:00

2.6 KiB

Raw Blame History

Unknowns Ranking Algorithm (HOT/WARM/COLD bands)

Module

Policy

Status

IMPLEMENTED

Description

Unknown ranker with weighted scoring (popularity, exploit potential, uncertainty density, centrality, staleness), HOT/WARM/COLD band assignment, and BlastRadius model. Database migration for blast radius/containment exists.

Implementation Details

UnknownRanker: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs (sealed class)
- Two-factor scoring: Score = (Uncertainty * 50) + (ExploitPressure * 50)
- Uncertainty factors (sum capped at 1.0):
  - Missing VEX: +0.40
  - Missing reachability: +0.30
  - Conflicting signals: +0.20
  - Stale evidence: +0.10
- Exploit pressure factors (sum capped at 1.0):
  - KEV flagged: +0.50
  - EPSS >= 0.90: +0.30
  - EPSS >= 0.50: +0.15
  - CVSS >= 9.0: +0.05
- Containment reduction (capped at 40%):
  - Isolated: 15%, NotNetFacing: 5%, NonRoot: 5%, Seccomp: 10%, FsRO: 10%, NetworkIsolated: 5%
- Time decay: 7d=100%, 30d=90%, 90d=75%, 180d=60%, 365d=40%, >365d=20%
- Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
- Reason codes: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown
BlastRadius model: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs
- Dependents (int), NetFacing (bool), Privilege (string?)
UnknownRankerOptions: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRankerOptions.cs -- configurable weights and thresholds
UnknownRankInput: includes EpssScore, CvssScore, IsKev, ContainmentSignals, LastEvaluatedAt, ReasonCodes

E2E Test Plan

Rank unknown with missing VEX + KEV flagged; verify score = (0.4050) + (0.5050) = 45; band=Warm
Rank unknown with missing VEX + missing reachability + KEV + EPSS=0.95; verify score = (0.7050) + (0.8050) = 75; band=Hot
Rank unknown with no uncertainty + no exploit pressure; verify score=0; band=Negligible
Rank unknown with Isolated containment; verify 15% reduction from raw score
Rank unknown with all containment signals; verify exactly 40% reduction (cap)
Rank unknown last evaluated 90 days ago; verify decay factor=0.75 applied
Rank unknown last evaluated 365 days ago; verify decay factor=0.40 applied
Verify band assignment: score 80 -> Hot, score 55 -> Warm, score 30 -> Cold, score 10 -> Negligible
Verify reason codes: unknown with VexConflict produces reason=VexConflict
Verify deterministic ranking: same inputs always produce same score and band

Powered by Gitea Version: 1.24.5 Page: 242ms Template: 1ms

English

Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語简体中文繁體中文（台灣）繁體中文（香港） 한국어

Licenses API