bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
29 lines
920 B
Markdown
29 lines
920 B
Markdown
# Risk formulas
|
|
|
|
Purpose
|
|
- Define how normalized factors combine into a risk score and severity.
|
|
|
|
Formula building blocks
|
|
- Weighted sum with per-factor caps and family caps.
|
|
- Normalize raw score to 0-1 and apply gates.
|
|
- VEX gate: not_affected can short-circuit to 0.0.
|
|
- CVSS + KEV boost: clamp01((cvss/10) + kev_bonus).
|
|
- Trust gates: fail or down-weight low-trust provenance.
|
|
- Decay: apply time-based decay to stale signals.
|
|
- Overrides: tenant or asset overrides with expiry and audit.
|
|
|
|
Severity mapping
|
|
- Map normalized_score to critical, high, medium, low, informational.
|
|
- Store band rationale in explainability output.
|
|
|
|
Determinism
|
|
- Stable factor ordering before aggregation.
|
|
- Fixed precision (example: 4 decimals) before severity mapping.
|
|
- Hash fixtures and record SHA256 in docs/risk/samples/formulas/.
|
|
|
|
Related references
|
|
- risk/overview.md
|
|
- risk/factors.md
|
|
- risk/profiles.md
|
|
- risk/explainability.md
|