# Competitive Triage UI Patterns - Design Document > **Sprint:** SPRINT_20251226_010_FE_visual_diff_enhancements > **Task:** VD-ENH-09 > **Status:** Complete > **Author:** Implementation Team > **Date:** 2025-12-26 --- ## Overview This document captures competitive insights from leading vulnerability management tools and recommends patterns for adoption in StellaOps' visual diff and triage UI. ## Competitive Analysis ### Snyk — Reachability + Continuous Context **What they do:** - Reachability analysis builds call graphs to determine if vulnerable code is actually reachable - Risk scores factor in reachability, not just CVSS severity - Static program analysis combined with AI and expert curation - Continuous monitoring tracks issues over time as projects are rescanned **Adoption recommendation:** ✅ **Already implemented** - `GraphDiffComponent` visualizes reachability graphs with call paths - Hover highlighting shows connected paths from entry points to sinks - Plain language explanations help users understand "why" a finding matters ### Anchore — Vulnerability Annotations & VEX Export **What they do:** - Vulnerability annotation workflows via UI or API - Labels: "not applicable", "mitigated", "under investigation" - Export as OpenVEX and CycloneDX VEX formats - Curated reasoning reduces redundant triage downstream **Adoption recommendation:** ✅ **Already implemented** - `TriageWorkspaceComponent` provides VEX decisioning with trust levels - `DeltaVerdict` backend exports signed VEX statements - Attestable exception objects with expiries and audit trails ### Prisma Cloud — Runtime Defense **What they do:** - Runtime profiling and behavioral baselines for containers - Process, file, and network rule enforcement - Learning models detect anomalies - Runtime context during operational incidents **Adoption recommendation:** ⚠️ **Partial - Signals module** - `Signals` module provides runtime observation correlation - Hot symbol index tracks runtime function execution - Integration with FuncProof links runtime observations to static analysis --- ## Recommended UI Patterns ### 1. Unified Triage Canvas **Pattern:** Single view combining static analysis with runtime evidence ``` ┌─────────────────────────────────────────────────────────────────┐ │ TRIAGE CANVAS │ ├──────────────────┬────────────────────┬─────────────────────────┤ │ Graph View │ Evidence Panel │ Decision Panel │ │ │ │ │ │ ┌─────┐ │ • SBOM Component │ ○ Not Affected │ │ │main │────► │ • VEX Statement │ ○ Under Investigation │ │ └─────┘ │ │ • Reachability │ ○ Affected │ │ ▼ │ • Runtime Obs. │ ○ Fixed │ │ ┌─────┐ │ • Policy Match │ │ │ │vuln │ │ │ [Record Decision] │ │ └─────┘ │ │ │ └──────────────────┴────────────────────┴─────────────────────────┘ ``` **Implementation:** Already complete via `TriageWorkspaceComponent` + `GraphDiffComponent` ### 2. Exploitability Scoring Visualization **Pattern:** Visual risk score breakdown showing contributing factors | Component | Weight | Score | Visualization | |-----------|--------|-------|---------------| | Reachability | 25% | 95 | ████████░░ | | VEX Coverage | 20% | 90 | █████████░ | | SBOM Completeness | 20% | 85 | ████████░░ | | Runtime Evidence | 20% | 88 | ████████░░ | | Policy Freshness | 15% | 92 | █████████░ | **Implementation:** `ProofTreeComponent` displays trust score breakdown with donut chart ### 3. Attack Path Diagrams **Pattern:** Entry point → vulnerable function path highlighting - Color-coded paths (green=safe, red=vulnerable, amber=uncertain) - Hop count indicators - Confidence levels per path segment - Interactive path exploration with zoom-to-fit **Implementation:** `GraphDiffComponent` with `findPath()` and path highlighting ### 4. Evidence Provenance Indicators **Pattern:** Visual indicators showing evidence source and trust level | Indicator | Meaning | |-----------|---------| | 🔒 Signed | DSSE-signed evidence | | ✓ Verified | Signature verified | | ⚡ Runtime | Observed at runtime | | 📋 Policy | Policy-derived | | 👤 Manual | Human decision | **Implementation:** `ProofTreeComponent` with evidence chunk icons --- ## Adoption Status | Pattern | Status | Component | |---------|--------|-----------| | Reachability graphs | ✅ Complete | `GraphDiffComponent` | | VEX decisioning | ✅ Complete | `TriageWorkspaceComponent` | | Attack path visualization | ✅ Complete | `GraphDiffComponent` + path highlighting | | Evidence provenance | ✅ Complete | `ProofTreeComponent` | | Plain language explanations | ✅ Complete | `PlainLanguageService` | | Runtime observation correlation | ✅ Complete | `Signals` module integration | | Offline replay packs | ✅ Complete | Evidence bundle export | | Trust score breakdown | ✅ Complete | `ProofTreeComponent` donut chart | --- ## Differentiation Strategy StellaOps differentiates from competitors by unifying these patterns into a single, evidence-rich, policy-driven triage experience: 1. **Evidence-first:** Every decision is backed by cryptographic evidence 2. **Policy-driven:** VEX as core policy objects, not just export format 3. **Attestable:** Exceptions are attestable contracts with audit trails 4. **Offline-capable:** Same UI/interactions work in air-gapped environments 5. **Deterministic:** Reproducible verdicts across runs and environments --- ## References - [Snyk Reachability Analysis](https://docs.snyk.io/manage-risk/prioritize-issues-for-fixing/reachability-analysis) - [Anchore Vulnerability Annotations](https://docs.anchore.com/current/docs/vulnerability_management/vuln_annotations/) - [Prisma Cloud Runtime Defense](https://docs.prismacloud.io/en/compute-edition/30/admin-guide/runtime-defense/runtime-defense-containers)