3.4 KiB
3.4 KiB
CVSS v4.0 Environmental Metrics Completion
Module
Policy
Status
IMPLEMENTED
Description
Completes CVSS v4.0 scoring with all Modified Attack/Impact environmental metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA). Extends the existing MacroVector scoring engine with environment-specific risk adjustments. Includes receipt-based deterministic scoring and REST endpoints.
Implementation Details
- CvssV4Engine:
src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs--CvssV4Engine(sealed partial class implementsICvssV4Engine)- Sprint: SPRINT_1227_0013_0002_LB_cvss_v4_environmental
ComputeScores(baseMetrics, threatMetrics?, environmentalMetrics?)computes all score variants:- CVSS-B (base score only)
- CVSS-BT (base + threat, when ExploitMaturity != NotDefined)
- CVSS-BE (base + environmental, when modified metrics present)
- CVSS-BTE (full: base + threat + environmental)
DetermineEffectiveScoreselects the most specific score type available- MacroVector-based scoring per FIRST CVSS v4.0 specification
- CvssEnvironmentalMetrics: Modified metrics covering all attack/impact dimensions:
- Modified Attack metrics: MAV (Attack Vector), MAC (Attack Complexity), MAT (Attack Requirements), MPR (Privileges Required), MUI (User Interaction)
- Modified Impact metrics: MVC (Confidentiality), MVI (Integrity), MVA (Availability), MSC (Subsequent Confidentiality), MSI (Subsequent Integrity), MSA (Subsequent Availability)
- All values default to NotDefined (inherit base metric values)
- MacroVectorLookup:
src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs-- lookup table for macro vector scoring - CvssScores Model: BaseScore, ThreatScore, EnvironmentalScore, FullScore, EffectiveScore, EffectiveScoreType
- CvssScoreReceipt:
src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs-- deterministic receipt with input hashes and policy references - Receipts:
src/Policy/StellaOps.Policy.Scoring/Receipts/-- receipt persistence and generation - CVSS Receipt Endpoints:
src/Policy/StellaOps.Policy.Engine/Endpoints/CvssReceiptEndpoints.cs-- REST API for scoring with receipts - CvssMetrics:
src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs-- metric definitions with CVSS v4.0 enums - CvssPolicy:
src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs-- policy-driven scoring thresholds
E2E Test Plan
- Score a CVSS v4.0 vector with base metrics only; verify CVSS-B score matches FIRST specification
- Score with environmental metrics (MAV=Network modified to MAV=Local); verify CVSS-BE score is lower than CVSS-B
- Score with both threat (ExploitMaturity=Attacked) and environmental metrics; verify CVSS-BTE full score computed
- Score with threat metrics only (no environmental); verify CVSS-BT computed and CVSS-BE is null
- POST to CVSS receipt endpoint; verify receipt contains input hash, scoring policy reference, and deterministic score
- Score same vector twice; verify identical scores and matching receipt hashes
- Score with all Modified metrics set to NotDefined; verify environmental score equals base score
- Score with MSI=Safety; verify maximum environmental impact applied
- Verify effective score type selection: CVSS-BTE preferred when all metrics present
- Verify CvssEngineFactory returns CvssV4Engine for v4.0 vectors