stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e2e404e705578c36a9d19a806405bd3051bc52ce
git.stella-ops.org/docs/policy/vuln-determinations.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

2.2 KiB
Raw Blame History

Vulnerability Determinations (Md.XI draft)

Status: DRAFT (awaiting GRAP0101 + findings ledger doc + DevOps rollout); keep TODO until signals/simulation semantics confirmed.

Scope

  • Capture rationale and signals used to determine vulnerability states in Vuln Explorer (policy overlay, VEX, reachability, DevOps signals).
  • Document simulation semantics and precedence/weighting; align with Policy Engine gateways.

Inputs & Dependencies

Input Status Notes
Findings Ledger doc (DOCS-VULN-29-005) in progress Must align on field names/hashes.
DevOps rollout plan (telemetry + signals) pending Needed for final weighting and thresholds.
GRAP0101 contract pending Confirms identifiers used in policies.

Signals (draft list)

  • Advisory severity + KEV flag.
  • Reachability: call graph + runtime facts (from Signals module) — weighting TBD.
  • VEX status: CSAF-mapped decisions (NOT_AFFECTED, AFFECTED_*).
  • SBOM component context: version range, path, scope (prod/dev/test).
  • Observability: error/traffic indicators (if enabled) — DevOps to confirm.

Simulation Semantics (draft)

  • Deterministic evaluation order: VEX > Reachability > Policy gates > Overrides.
  • Precedence to NOT_AFFECTED when confidence ≥ threshold (TBD) unless explicit policy override.
  • Shadow/simulation runs mirror production gates but do not emit notifications; results stored with flag simulation=true and excluded from audit unless promoted.

Policy Outputs

  • Status mapping: {blocked, warn, pass} with rationale bundle references.
  • Required fields in outputs: findingId, policyVersion, signalsUsed, weighting, explainBundleRef, timestamp (UTC, ISO-8601).
  • Determinism: stable sorting by findingId then policyVersion; hashes recorded when examples added.

Offline/Determinism Notes

  • All sample policy outputs must be hashed in docs/assets/vuln-explorer/SHA256SUMS.
  • Use fixed fixture inputs; avoid live metrics; keep ordering stable.

Open Items

  • Finalize signal weights and thresholds after DevOps rollout plan.
  • Insert concrete examples once Findings Ledger and GRAP0101 finalize fields.
  • Add simulation vs. production side-by-side examples with hashes.

Last updated: 2025-12-05 (UTC)