bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.3 KiB
1.3 KiB
Risk overview
Purpose
- Explain risk scoring concepts, lifecycle, and artifacts.
- Preserve deterministic, provenance-backed outputs.
Core concepts
- Signals become evidence after validation and normalization.
- Profiles define weights, thresholds, overrides, and severity mapping.
- Formulas aggregate normalized factors into a 0-1 score.
- Provenance carries source hashes and attestation references.
Lifecycle
- Submit a risk job with tenant, context, profile, and findings.
- Ingest evidence from scanners, reachability, VEX, runtime signals, and KEV.
- Normalize and dedupe by provenance hash.
- Evaluate profile rules, gates, and overrides.
- Assign severity band and emit explainability output.
- Export bundles with profile hash and evidence references.
Artifacts
- Profile schema: id, version, signals, weights, overrides, metadata, provenance.
- Job and result fields: job_id, profile_hash, normalized_score, severity.
- Explainability envelope: signal_values, signal_contributions, gates_triggered.
Determinism and offline posture
- Stable ordering for factors and contributions.
- Fixed precision math with UTC timestamps only.
- Fixtures and hashes live under docs/risk/samples/.
Related references
- risk/factors.md
- risk/formulas.md
- risk/profiles.md
- risk/explainability.md
- risk/api.md