bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.4 KiB
1.4 KiB
Risk model and scoring
Risk scoring turns evidence into a normalized score and severity band. The model is deterministic and explainable.
Core concepts
- Signals become evidence after validation.
- Evidence is normalized into factors.
- Profiles define weights, thresholds, and overrides.
- Formulas aggregate factors into scores and severity.
Signal sources (examples)
- CVSS severity and vectors (v4 supported).
- KEV flags and exploit history.
- EPSS percentiles for exploit likelihood.
- Reachability and runtime evidence.
Lifecycle
- Job submit with tenant, profile, and findings.
- Evidence ingestion from scanners, reachability, and VEX.
- Normalization and dedupe by provenance hash.
- Profile evaluation with gates and overrides.
- Severity assignment and explainability output.
- Export to Findings Ledger and Export Center.
Artifacts
- Profile schema: signals, weights, overrides, provenance.
- Job and result schema: score, severity, contributions.
- Explainability payloads for UI and CLI.
Determinism rules
- Stable ordering for factors and signals.
- Fixed precision math and UTC timestamps.
- Hashes and provenance recorded for every input.
Related references
- docs/risk/overview.md
- docs/risk/factors.md
- docs/risk/formulas.md
- docs/risk/profiles.md
- docs/risk/api.md
- docs/guides/epss-integration.md
- risk/overview.md
- risk/factors.md
- risk/formulas.md
- risk/profiles.md
- risk/explainability.md
- risk/api.md