bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
920 B
920 B
Risk formulas
Purpose
- Define how normalized factors combine into a risk score and severity.
Formula building blocks
- Weighted sum with per-factor caps and family caps.
- Normalize raw score to 0-1 and apply gates.
- VEX gate: not_affected can short-circuit to 0.0.
- CVSS + KEV boost: clamp01((cvss/10) + kev_bonus).
- Trust gates: fail or down-weight low-trust provenance.
- Decay: apply time-based decay to stale signals.
- Overrides: tenant or asset overrides with expiry and audit.
Severity mapping
- Map normalized_score to critical, high, medium, low, informational.
- Store band rationale in explainability output.
Determinism
- Stable factor ordering before aggregation.
- Fixed precision (example: 4 decimals) before severity mapping.
- Hash fixtures and record SHA256 in docs/risk/samples/formulas/.
Related references
- risk/overview.md
- risk/factors.md
- risk/profiles.md
- risk/explainability.md