stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/riskengine/cvss-kev-risk-signal-combination.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

8.7 KiB
Raw Blame History

CVSS + KEV Risk Signal Combination

Module

RiskEngine

Status

VERIFIED

Description

Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula: clamp01((cvss/10) + kevBonus) where kevBonus = 0.2 if KEV-listed, 0 otherwise. Uses Math.Round(..., 6, MidpointRounding.ToEven) for determinism.

Implementation Details

  • CVSS+KEV Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs -- implements IRiskScoreProvider. Combines CVSS base scores with CISA KEV catalog data. KEV-listed vulnerabilities receive a +0.2 risk boost. Deterministic rounding.
  • Risk Score Provider Interface: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs -- IRiskScoreProvider interface (Name, ScoreAsync) and IRiskScoreProviderRegistry with in-memory dictionary implementation.
  • CVSS+KEV Sources Interface: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs -- ICvssSource (returns double? CVSS 0-10) and IKevSource (returns bool?). Includes null-object implementations.
  • VEX Gate Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs -- implements IRiskScoreProvider. Short-circuits to 0d when HasDenial >= 1 signal present; otherwise returns max of remaining signals clamped to [0,1].
  • Fix Exposure Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs -- weighted formula: 0.5 * FixAvailability + 0.3 * Criticality + 0.2 * Exposure. Missing signals default to 0.
  • Fix Chain Risk Provider: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs (349 lines) -- implements both IRiskScoreProvider and IFixChainRiskProvider. Computes risk adjustment based on fix verification status and confidence. Configurable via FixChainRiskOptions.
  • Fix Chain Attestation Client: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs (253 lines) -- HTTP-based client with IMemoryCache integration, positive/negative caching, JSON deserialization.
  • Fix Chain Metrics/Display: FixChainRiskMetrics.cs (OpenTelemetry counters/histograms), FixChainRiskDisplay.cs (badge, tooltip, summary).
  • Default Transforms Provider: DefaultTransformsProvider.cs -- signal clamping and averaging with deterministic ordering.
  • Score Request/Result: ScoreRequest.cs, RiskScoreResult.cs -- request/response models.
  • Risk Score Worker/Queue: RiskScoreWorker.cs (background worker), RiskScoreQueue.cs (Channel-based FIFO queue with bounded/unbounded options).

E2E Test Plan

  • Submit a score request for a CVE with CVSS 7.5 listed in KEV and verify combined risk score is higher than CVSS alone
  • Submit same CVSS score without KEV and verify no KEV boost
  • VEX gate: submit KEV-listed CVE with VEX "not_affected" and verify VexGateProvider reduces score
  • Fix chain: submit CVE with verified fix attestation and verify FixChainRiskProvider reduces score
  • Determinism: compute same risk score multiple times and verify bit-for-bit identical results
  • Verify risk score worker processes queued requests and stores results

Verification

  • Verified: 2026-02-10
  • Method: Tier 2a live API replay + Tier 2d regression verification
  • Build: Core and Infrastructure projects build cleanly (0 errors, 0 warnings). Worker/WebService have deprecation notices but compile.
  • Tests: RiskEngine suite re-run in Release with 94/94 passing, including added API/provider regression coverage (Simulations_CvssKev_UsesInlineSignals, provider-list exposure check, and inline-signal provider unit tests).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-002/tier2-api-check.json

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay via in-process WebApplicationFactory + full suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-003/tier2-api-check.json
  • Outcome: CVSS+KEV provider exposure and inline-signal simulation behavior remain stable after subsequent module edits.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay via in-process WebApplicationFactory + full suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-004/tier2-api-check.json
  • Outcome: CVSS+KEV provider exposure and inline-signal simulation behavior remain stable.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay validated via RiskEngine integration suite.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-005/tier2-api-check.json
  • Outcome: CVSS/KEV risk signal combination behavior remains healthy.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-006/tier2-api-check.json
  • Outcome: Checked RiskEngine behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-007/tier2-api-check.json
  • Outcome: Checked RiskEngine behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-008/tier2-api-check.json
  • Outcome: Checked RiskEngine behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-009/tier2-api-check.json
  • Outcome: Checked RiskEngine behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-010/tier2-integration-check.json
  • Outcome: Checked risk engine behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-011/tier2-integration-check.json
  • Outcome: Checked risk engine behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-012/tier2-api-check.json
  • Outcome: Checked risk engine behavior remains healthy in continued replay.

Recheck (Run-013)

  • Verified: 2026-02-10
  • Method: Tier 2a live HTTPS API verification with fresh request/response capture.
  • Tests: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-013/tier2-api-check.json
  • Captured Requests: /risk-scores/providers; /risk-scores/simulations for KEV bonus (0.95), no-KEV baseline (0.75), and unknown provider error semantics.
  • Outcome: CVSS+KEV checked behavior revalidated from live API transactions.