bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# Risk factors
|
|
|
|
Purpose
|
|
- Define factor catalog and normalization rules for risk scoring.
|
|
|
|
Factor catalog (examples)
|
|
- CVSS or exploit likelihood: numeric 0-10 normalized to 0-1.
|
|
- KEV flag: boolean boost with provenance.
|
|
- Reachability: numeric with entrypoint and path provenance.
|
|
- Runtime facts: categorical or numeric with trace references.
|
|
- Fix availability: vendor status and mitigation context.
|
|
- Asset criticality: tenant or service criticality signals.
|
|
- Provenance trust: categorical trust tier with attestation hash.
|
|
- Custom overrides: scoped, expiring, and auditable.
|
|
|
|
Normalization rules
|
|
- Validate against profile signal types and transforms.
|
|
- Clamp numeric inputs to 0-1 and record original values in provenance.
|
|
- Apply TTL or decay deterministically; drop expired signals.
|
|
- Precedence: signed over unsigned, runtime over static, newer over older.
|
|
|
|
Determinism and ordering
|
|
- Sort factors by factor type, source, then timestamp.
|
|
- Hash fixtures and record SHA256 in docs/risk/samples/factors/.
|
|
|
|
Related references
|
|
- risk/overview.md
|
|
- risk/formulas.md
|
|
- risk/profiles.md
|