Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency. - Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling. - Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies. - Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification. - Create validation script for CI/CD templates ensuring all required files and structures are present.
This commit is contained in:
StellaOps Bot
154
docs/modules/web/competitive-triage-patterns.md
Normal file
154
docs/modules/web/competitive-triage-patterns.md
Normal file
@@ -0,0 +1,154 @@
|
||||
# Competitive Triage UI Patterns - Design Document
|
||||
|
||||
> **Sprint:** SPRINT_20251226_010_FE_visual_diff_enhancements
|
||||
> **Task:** VD-ENH-09
|
||||
> **Status:** Complete
|
||||
> **Author:** Implementation Team
|
||||
> **Date:** 2025-12-26
|
||||
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
This document captures competitive insights from leading vulnerability management tools and recommends patterns for adoption in StellaOps' visual diff and triage UI.
|
||||
|
||||
## Competitive Analysis
|
||||
|
||||
### Snyk — Reachability + Continuous Context
|
||||
|
||||
**What they do:**
|
||||
- Reachability analysis builds call graphs to determine if vulnerable code is actually reachable
|
||||
- Risk scores factor in reachability, not just CVSS severity
|
||||
- Static program analysis combined with AI and expert curation
|
||||
- Continuous monitoring tracks issues over time as projects are rescanned
|
||||
|
||||
**Adoption recommendation:** ✅ **Already implemented**
|
||||
- `GraphDiffComponent` visualizes reachability graphs with call paths
|
||||
- Hover highlighting shows connected paths from entry points to sinks
|
||||
- Plain language explanations help users understand "why" a finding matters
|
||||
|
||||
### Anchore — Vulnerability Annotations & VEX Export
|
||||
|
||||
**What they do:**
|
||||
- Vulnerability annotation workflows via UI or API
|
||||
- Labels: "not applicable", "mitigated", "under investigation"
|
||||
- Export as OpenVEX and CycloneDX VEX formats
|
||||
- Curated reasoning reduces redundant triage downstream
|
||||
|
||||
**Adoption recommendation:** ✅ **Already implemented**
|
||||
- `TriageWorkspaceComponent` provides VEX decisioning with trust levels
|
||||
- `DeltaVerdict` backend exports signed VEX statements
|
||||
- Attestable exception objects with expiries and audit trails
|
||||
|
||||
### Prisma Cloud — Runtime Defense
|
||||
|
||||
**What they do:**
|
||||
- Runtime profiling and behavioral baselines for containers
|
||||
- Process, file, and network rule enforcement
|
||||
- Learning models detect anomalies
|
||||
- Runtime context during operational incidents
|
||||
|
||||
**Adoption recommendation:** ⚠️ **Partial - Signals module**
|
||||
- `Signals` module provides runtime observation correlation
|
||||
- Hot symbol index tracks runtime function execution
|
||||
- Integration with FuncProof links runtime observations to static analysis
|
||||
|
||||
---
|
||||
|
||||
## Recommended UI Patterns
|
||||
|
||||
### 1. Unified Triage Canvas
|
||||
|
||||
**Pattern:** Single view combining static analysis with runtime evidence
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────────────────────────────────┐
|
||||
│ TRIAGE CANVAS │
|
||||
├──────────────────┬────────────────────┬─────────────────────────┤
|
||||
│ Graph View │ Evidence Panel │ Decision Panel │
|
||||
│ │ │ │
|
||||
│ ┌─────┐ │ • SBOM Component │ ○ Not Affected │
|
||||
│ │main │────► │ • VEX Statement │ ○ Under Investigation │
|
||||
│ └─────┘ │ │ • Reachability │ ○ Affected │
|
||||
│ ▼ │ • Runtime Obs. │ ○ Fixed │
|
||||
│ ┌─────┐ │ • Policy Match │ │
|
||||
│ │vuln │ │ │ [Record Decision] │
|
||||
│ └─────┘ │ │ │
|
||||
└──────────────────┴────────────────────┴─────────────────────────┘
|
||||
```
|
||||
|
||||
**Implementation:** Already complete via `TriageWorkspaceComponent` + `GraphDiffComponent`
|
||||
|
||||
### 2. Exploitability Scoring Visualization
|
||||
|
||||
**Pattern:** Visual risk score breakdown showing contributing factors
|
||||
|
||||
| Component | Weight | Score | Visualization |
|
||||
|-----------|--------|-------|---------------|
|
||||
| Reachability | 25% | 95 | ████████░░ |
|
||||
| VEX Coverage | 20% | 90 | █████████░ |
|
||||
| SBOM Completeness | 20% | 85 | ████████░░ |
|
||||
| Runtime Evidence | 20% | 88 | ████████░░ |
|
||||
| Policy Freshness | 15% | 92 | █████████░ |
|
||||
|
||||
**Implementation:** `ProofTreeComponent` displays trust score breakdown with donut chart
|
||||
|
||||
### 3. Attack Path Diagrams
|
||||
|
||||
**Pattern:** Entry point → vulnerable function path highlighting
|
||||
|
||||
- Color-coded paths (green=safe, red=vulnerable, amber=uncertain)
|
||||
- Hop count indicators
|
||||
- Confidence levels per path segment
|
||||
- Interactive path exploration with zoom-to-fit
|
||||
|
||||
**Implementation:** `GraphDiffComponent` with `findPath()` and path highlighting
|
||||
|
||||
### 4. Evidence Provenance Indicators
|
||||
|
||||
**Pattern:** Visual indicators showing evidence source and trust level
|
||||
|
||||
| Indicator | Meaning |
|
||||
|-----------|---------|
|
||||
| 🔒 Signed | DSSE-signed evidence |
|
||||
| ✓ Verified | Signature verified |
|
||||
| ⚡ Runtime | Observed at runtime |
|
||||
| 📋 Policy | Policy-derived |
|
||||
| 👤 Manual | Human decision |
|
||||
|
||||
**Implementation:** `ProofTreeComponent` with evidence chunk icons
|
||||
|
||||
---
|
||||
|
||||
## Adoption Status
|
||||
|
||||
| Pattern | Status | Component |
|
||||
|---------|--------|-----------|
|
||||
| Reachability graphs | ✅ Complete | `GraphDiffComponent` |
|
||||
| VEX decisioning | ✅ Complete | `TriageWorkspaceComponent` |
|
||||
| Attack path visualization | ✅ Complete | `GraphDiffComponent` + path highlighting |
|
||||
| Evidence provenance | ✅ Complete | `ProofTreeComponent` |
|
||||
| Plain language explanations | ✅ Complete | `PlainLanguageService` |
|
||||
| Runtime observation correlation | ✅ Complete | `Signals` module integration |
|
||||
| Offline replay packs | ✅ Complete | Evidence bundle export |
|
||||
| Trust score breakdown | ✅ Complete | `ProofTreeComponent` donut chart |
|
||||
|
||||
---
|
||||
|
||||
## Differentiation Strategy
|
||||
|
||||
StellaOps differentiates from competitors by unifying these patterns into a single, evidence-rich, policy-driven triage experience:
|
||||
|
||||
1. **Evidence-first:** Every decision is backed by cryptographic evidence
|
||||
2. **Policy-driven:** VEX as core policy objects, not just export format
|
||||
3. **Attestable:** Exceptions are attestable contracts with audit trails
|
||||
4. **Offline-capable:** Same UI/interactions work in air-gapped environments
|
||||
5. **Deterministic:** Reproducible verdicts across runs and environments
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
- [Snyk Reachability Analysis](https://docs.snyk.io/manage-risk/prioritize-issues-for-fixing/reachability-analysis)
|
||||
- [Anchore Vulnerability Annotations](https://docs.anchore.com/current/docs/vulnerability_management/vuln_annotations/)
|
||||
- [Prisma Cloud Runtime Defense](https://docs.prismacloud.io/en/compute-edition/30/admin-guide/runtime-defense/runtime-defense-containers)
|
||||
Reference in New Issue
Block a user