bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.1 KiB
1.1 KiB
Risk factors
Purpose
- Define factor catalog and normalization rules for risk scoring.
Factor catalog (examples)
- CVSS or exploit likelihood: numeric 0-10 normalized to 0-1.
- KEV flag: boolean boost with provenance.
- Reachability: numeric with entrypoint and path provenance.
- Runtime facts: categorical or numeric with trace references.
- Fix availability: vendor status and mitigation context.
- Asset criticality: tenant or service criticality signals.
- Provenance trust: categorical trust tier with attestation hash.
- Custom overrides: scoped, expiring, and auditable.
Normalization rules
- Validate against profile signal types and transforms.
- Clamp numeric inputs to 0-1 and record original values in provenance.
- Apply TTL or decay deterministically; drop expired signals.
- Precedence: signed over unsigned, runtime over static, newer over older.
Determinism and ordering
- Sort factors by factor type, source, then timestamp.
- Hash fixtures and record SHA256 in docs/risk/samples/factors/.
Related references
- risk/overview.md
- risk/formulas.md
- risk/profiles.md