43 lines
3.1 KiB
Markdown
43 lines
3.1 KiB
Markdown
# Diff-Aware Release Gates (Semantic Delta Computation)
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Full delta computation engine that computes semantic diffs across SBOMs, vulnerabilities, and risk scores. Includes component deltas, vulnerability status deltas, and risk score deltas.
|
|
|
|
## Implementation Details
|
|
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs` -- computes delta between baseline and hypothetical states
|
|
- SBOM diff operations: add, remove, upgrade, downgrade
|
|
- Decision changes: status_changed, severity_changed, new, removed
|
|
- Risk delta computation: increased/decreased/unchanged with blocked/warning deltas
|
|
- VEX and reachability override handling in simulated decisions
|
|
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs` -- drift-based gate for cross-release delta
|
|
- `DriftGateContext.cs` -- drift evaluation context with base/target references
|
|
- `DriftGateOptions.cs` -- configurable drift thresholds
|
|
- Evaluates whether drift between releases exceeds acceptable thresholds
|
|
- **ConsoleSimulationDiffService**: `src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs` -- deterministic delta diff
|
|
- Before/After severity breakdown, delta (added/removed/regressed), rule impact analysis
|
|
- **SimulationAnalyticsService**: `src/Policy/StellaOps.Policy.Engine/Simulation/SimulationAnalyticsService.cs` -- delta summary computation with severity escalation tracking
|
|
- **RiskSimulationService**: `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs` -- `CompareProfilesWithBreakdown` for profile-level delta
|
|
- Compares baseline and comparison risk profiles with trend analysis
|
|
- Top movers analysis: identifies findings with greatest score change
|
|
- **Effective Decision Map**: `src/Policy/StellaOps.Policy.Engine/EffectiveDecisionMap/` -- materialized baseline decisions for delta comparison
|
|
- **Overlay Simulation**: `src/Policy/StellaOps.Policy.Engine/Endpoints/OverlaySimulationEndpoint.cs` -- overlay-based simulation
|
|
- **Merge Preview**: `src/Policy/StellaOps.Policy.Engine/Endpoints/MergePreviewEndpoints.cs` -- merge preview for policy changes
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run what-if simulation with SBOM upgrade; verify component delta shows version change and advisory resolution
|
|
- [ ] Run what-if simulation with SBOM downgrade; verify new advisories detected and severity escalated
|
|
- [ ] Evaluate drift gate with base and target digests; verify gate passes when drift is within threshold
|
|
- [ ] Evaluate drift gate with excessive drift; verify gate blocks with explanation
|
|
- [ ] Run console simulation diff; verify severity breakdown before and after policy change
|
|
- [ ] Compare two risk profiles; verify trend analysis shows score deltas and top movers
|
|
- [ ] Run overlay simulation; verify hypothetical overlay applied without persisting
|
|
- [ ] Verify delta summary correctly counts: added, removed, regressed (escalated severity)
|
|
- [ ] Run merge preview; verify predicted impact of policy merge
|
|
- [ ] Verify what-if summary recommendation: "risk profile increases" when more blocks, "improves" when fewer
|