stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/risk/overview.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

37 lines
1.3 KiB
Markdown
Raw Blame History

# Risk overview
Purpose
- Explain risk scoring concepts, lifecycle, and artifacts.
- Preserve deterministic, provenance-backed outputs.
Core concepts
- Signals become evidence after validation and normalization.
- Profiles define weights, thresholds, overrides, and severity mapping.
- Formulas aggregate normalized factors into a 0-1 score.
- Provenance carries source hashes and attestation references.
Lifecycle
1. Submit a risk job with tenant, context, profile, and findings.
2. Ingest evidence from scanners, reachability, VEX, runtime signals, and KEV.
3. Normalize and dedupe by provenance hash.
4. Evaluate profile rules, gates, and overrides.
5. Assign severity band and emit explainability output.
6. Export bundles with profile hash and evidence references.
Artifacts
- Profile schema: id, version, signals, weights, overrides, metadata, provenance.
- Job and result fields: job_id, profile_hash, normalized_score, severity.
- Explainability envelope: signal_values, signal_contributions, gates_triggered.
Determinism and offline posture
- Stable ordering for factors and contributions.
- Fixed precision math with UTC timestamps only.
- Fixtures and hashes live under docs/risk/samples/.
Related references
- risk/factors.md
- risk/formulas.md
- risk/profiles.md
- risk/explainability.md
- risk/api.md
Reference in New Issue View Git Blame Copy Permalink