stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/security/risk-model.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

49 lines
1.4 KiB
Markdown
Raw Blame History

# Risk model and scoring
Risk scoring turns evidence into a normalized score and severity band. The
model is deterministic and explainable.
Core concepts
- Signals become evidence after validation.
- Evidence is normalized into factors.
- Profiles define weights, thresholds, and overrides.
- Formulas aggregate factors into scores and severity.
Signal sources (examples)
- CVSS severity and vectors (v4 supported).
- KEV flags and exploit history.
- EPSS percentiles for exploit likelihood.
- Reachability and runtime evidence.
Lifecycle
1. Job submit with tenant, profile, and findings.
2. Evidence ingestion from scanners, reachability, and VEX.
3. Normalization and dedupe by provenance hash.
4. Profile evaluation with gates and overrides.
5. Severity assignment and explainability output.
6. Export to Findings Ledger and Export Center.
Artifacts
- Profile schema: signals, weights, overrides, provenance.
- Job and result schema: score, severity, contributions.
- Explainability payloads for UI and CLI.
Determinism rules
- Stable ordering for factors and signals.
- Fixed precision math and UTC timestamps.
- Hashes and provenance recorded for every input.
Related references
- docs/risk/overview.md
- docs/risk/factors.md
- docs/risk/formulas.md
- docs/risk/profiles.md
- docs/risk/api.md
- docs/guides/epss-integration.md
- risk/overview.md
- risk/factors.md
- risk/formulas.md
- risk/profiles.md
- risk/explainability.md
- risk/api.md
Reference in New Issue View Git Blame Copy Permalink