# Vulnerability explorer

Purpose
- Triage vulnerabilities with deterministic grouping, overlays, and exports.
- Shared views must include data sources and overlays to prevent context loss.

Table anatomy
- Columns: CVE or alias, package PURL, version, severity, exploitability, reachability, VEX status, fix version, policy verdict, last seen.
- Sorting: severity desc, exploitability desc, PURL, CVE.
- Pagination is server-driven with stable cursors.

Grouping and pivots
- Group by package, CVE, image, or tenant.
- Group summary includes severity counts and VEX disposition counts.
- Why drawer explains grouping rules and data sources.

Filters
- Severity and exploitability (KEV, EPSS buckets, maturity).
- Reachability states.
- VEX status (affected, not_affected, under_investigation, disputed, contested).
- Fix availability and policy verdict.
- Staleness for SBOM, advisory, and VEX age.

Why drawer
- Shows data sources, overlay epochs, policy inputs, VEX claims, reachability evidence.
- Includes correlation IDs and graph_cache_epoch.

Fix suggestions
- Fix chip shows nearest patched version and source.
- Bulk fix export produces actions file with manifest hashes.
- UI warns when fixes rely on contested or stale claims.

Actions and triage
- Multi-select for ticket creation, VEX waiver requests, SBOM diff exports.
- Policy simulator opens with current overlays and can save staged views.

Accessibility
- Shortcuts: g for grouping, f for filters, w for Why drawer, / for search.
- Screen reader labels include VEX and reachability state.

Air-gap posture
- Exports include overlays and cache epochs.
- Offline bundles can replay triage views without network calls.

Related references
- ui/sbom-graph-explorer.md
- docs/api/vuln.md
- modules/graph.md