git.stella-ops.org/docs/features/unchecked/policy/cve-aware-release-policy-gates.md

CVE-Aware Release Policy Gates (EPSS/KEV/Reachable/Delta/Aggregate)

Module

Policy

Status

IMPLEMENTED

Description

Five specialized CVE-aware policy gates (EpssThresholdGate, KevBlockerGate, ReachableCveGate, CveDeltaGate, ReleaseAggregateCveGate) that use real-time EPSS scores, KEV catalog membership, reachability status, and cross-release delta to make gate decisions. Distinct from existing generic "CVSS Threshold Gate" or "EPSS Threshold Policy Gate" because these are an integrated multi-gate system with OPA/Rego support.

Implementation Details

• PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs -- orchestrates multi-gate evaluation
  • Evaluates gates in sequence: Evidence -> Lattice State -> VEX Trust -> Uncertainty Tier -> Confidence
  • Short-circuits on first Block; accumulates warnings from non-blocking gates
  • Override support with justification requirement
• VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs -- VEX trust-based gate with per-environment thresholds
  • VexTrustGateOptions: per-environment VexTrustThresholds with MinCompositeScore and RequireIssuerVerified
  • MissingTrustBehavior: Block, Warn, or Allow when trust data absent
  • Trust tiers: VeryHigh >= 0.9, High >= 0.7, Medium >= 0.5, Low >= 0.3, VeryLow < 0.3
• DriftGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs -- drift-based gate for cross-release delta
  • DriftGateOptions: configurable via DriftGateContext
• StabilityDampingGate: src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs -- stability damping for flapping prevention
  • StabilityDampingOptions: configurable damping parameters
• PolicyGateDecision Model: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs
  • Decision types: Allow, Warn, Block
  • Contains: GateId, Subject (VulnId/Purl/SymbolId/ScanId), Evidence (LatticeState/UncertaintyTier/GraphHash/RiskScore/Confidence), Gates array, Advisory, BlockedBy, BlockReason, Suggestion
• Reachability Lattice States: U (Unknown), SR (StaticallyReachable), SU (StaticallyUnreachable), RO (RuntimeObserved), RU (RuntimeUnobserved), CR (ConfirmedReachable), CU (ConfirmedUnreachable), X (Contested)
• Uncertainty Tiers: T1 (High), T2 (Medium), T3 (Low), T4 (Negligible)
• UnknownRanker Integration: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs -- exploit pressure factors (KEV +0.50, EPSS >= 0.90 +0.30, EPSS >= 0.50 +0.15, CVSS >= 9.0 +0.05)
• Scoring Integration: src/Policy/StellaOps.Policy.Engine/Scoring/ -- profile-aware scoring with EPSS/CVSS/KEV inputs
• Gate Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/PolicyDecisionEndpoint.cs -- REST API for gate evaluation

E2E Test Plan

• Evaluate gate for not_affected with CU lattice state and T4 uncertainty; verify Allow decision
• Evaluate gate for not_affected with CR lattice state; verify Block with suggestion to submit unreachability evidence
• Evaluate gate for not_affected with missing graphHash; verify Block by EvidenceCompleteness gate
• Evaluate gate with VEX trust score below production threshold; verify Block by VexTrust gate
• Evaluate gate with VEX trust score above threshold but signature unverified; verify Block when RequireIssuerVerified=true
• Evaluate gate with T1 uncertainty for not_affected and BlockT1ForNotAffected=true; verify Block by UncertaintyTier gate
• Evaluate gate with KEV finding using UnknownRanker; verify exploit pressure includes +0.50 KEV factor
• Evaluate gate with EPSS=0.95; verify exploit pressure includes +0.30 EPSS factor
• Evaluate gate with override and valid justification; verify Block overridden to Warn with advisory
• Evaluate gate with Contested (X) lattice state for not_affected; verify Block with suggestion to resolve through triage