# Vulnerability Explorer

> **Imposed rule:** Any exported or shared view must include the data sources and overlays applied (VEX, policy, reachability) to avoid out-of-context remediation decisions.

The Vulnerability Explorer provides deterministic tables and grouping to triage, explain, and act on vulns across SBOM graph data and VEX claims.

## Table anatomy
- Default columns: CVE/alias, package (PURL), version, severity, exploitability (EPSS/KEV), reachability, VEX status, fix version, policy verdict, last seen.
- Sorting: primary by severity (desc), secondary by exploitability score, tertiary by PURL; ties broken by CVE.
- Pagination: server-driven with stable cursors; page size defaults to 50, override via `?limit=`.

## Grouping & pivots
- Group by **package**, **CVE**, **image**, or **tenant**. Each group shows counts by severity and VEX disposition.
- “Why am I seeing this?” drawer explains grouping rules and shows upstream data sources for the group.
- Export follows the active grouping; NDJSON includes `group_key`, `items[]`, and overlay metadata.

## Filters
- **Severity**: critical/high/medium/low/none.
- **Exploitability**: KEV flag, EPSS bucket, exploit maturity.
- **Reachability**: reachable, conditionally reachable, unreachable, unknown.
- **VEX**: affected, not_affected, under_investigation, disputed, contested.
- **Fix availability**: has fix, no fix, downgrade available.
- **Policy verdict**: allow, review, deny, staged verdicts (simulator).
- **Staleness**: SBOM age, advisory feed age, VEX claim age.

## Why drawer
- Provides a structured explanation showing: data sources (SBOM digest, overlay epochs), policy inputs, VEX claims contributing to the verdict, and reachability evidence. Includes correlation IDs for API traces.
- Always shows tenant and `graph_cache_epoch` to keep exports/audits reproducible.

## Fix suggestions
- Per-row “Fix” chip suggests the nearest patched version and source (vendor vs upstream), plus link to remediation doc if provided by advisory.
- Bulk fix export produces an actions file: `{purl, vuln, recommended_version, source, rationale}` with SHA-256 manifest.
- UI warns when fixes rely on contested VEX claims or stale advisories.

## Actions & triage
- Multi-select with bulk actions: create ticket, generate VEX waiver request, export SBOM diff, or open policy simulator with selected rows.
- Policy simulator opens with current overlays and generates a simulated verdict for the selection; results can be saved as a “staged policy” view.

## Accessibility
- Keyboard shortcuts: `g` to toggle grouping, `f` to focus filters, `w` to open Why drawer on selected row, `/` to focus search.
- Screen reader labels announce VEX and reachability state; focus order matches visual order; table rows support row headers.

## Air-gap posture
- All exports include overlays and cache epochs; offline bundles can be loaded via `Import view` to replay triage without network.
- No live CVE enrichment calls from the UI; it relies solely on backend-provided overlays.

## Related docs
- `docs/ui/sbom-graph-explorer.md`
- `docs/api/graph.md`
- `docs/api/vuln.md`
- `docs/modules/graph/architecture-index.md`