## Pack 19 — Security consolidated around **release decisions + audit outputs** (preserving all PoC screens; reachability stays 2nd‑class) Below: 1. **Security menu graph (Mermaid)** 2. For **each screen**: * **Formerly** (old name/location) * **Why moved/reshaped** * **Screen navigation graph (Mermaid)** * **ASCII mock** --- # 19.1 Security menu graph (Mermaid) This keeps every PoC screen, but organizes them in a “Stella Ops” order: **decision‑centric first**, then exploration, then data backends, then attestations/waivers. ```mermaid flowchart TD SEC[Security (ROOT)] --> SEC_OV[Risk Overview] SEC --> SEC_FIND[Findings Explorer] SEC --> SEC_VULN[Vulnerabilities Explorer] SEC --> SEC_SBOM[SBOM Data] SEC_SBOM --> SEC_LAKE[SBOM Lake] SEC_SBOM --> SEC_GRAPH[SBOM Graph] SEC --> SEC_VEX[VEX & Exceptions] SEC_VEX --> SEC_VEXH[VEX Hub] SEC_VEX --> SEC_EXC[Exceptions] %% Cross-links (no duplication) SEC_OV -. "data confidence" .-> OPS_DI[Ops: Data Integrity] SEC_FIND -. "open env" .-> RC_ENV[Release Control: Env Detail] SEC_FIND -. "open bundle version" .-> BVER[Bundles: Bundle Version Detail] SEC_FIND -. "export decision pack" .-> EVID[Evidence: Export Center] SEC_VULN -. "graph" .-> SEC_GRAPH SEC_EXC -. "approval gating" .-> APPR[Approvals] SEC_VEXH -. "issuer trust" .-> TRUST[Evidence: Trust & Signing] ``` **Key consolidation rule:** * **Findings** = “what is actually present in a specific env/bundle/digest, and is it reachable?” * **Vulnerabilities** = “the CVE/catalog view (global), then drill down to where it hits.” * **SBOM Lake/Graph** = storage/exploration backends (kept, but demoted under “SBOM Data”). * **VEX/Exceptions** = disposition/waiver layer tied to approvals and audit. --- # 19.2 Security screen — Risk Overview ### Formerly * **Security → Overview** (`security overview.png`) (cards and summary, not tightly tied to env/bundle decision outcomes) ### Why changed like this This becomes the security commander’s “brief”: **what blocks promotions**, **which envs have critical reachable**, **SBOM freshness/coverage**, **VEX/exceptions posture**, and **data confidence** (feeds/jobs/integrations). Reachability is **not** promoted to a top-level area; it appears as: * summary metrics * filters * drilldowns into Findings. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Security: Risk Overview] --> B[Critical reachable by environment] A --> C[Blocked approvals due to security] A --> D[SBOM coverage & freshness summary] A --> E[Top CVEs impacting deployed bundles] A --> F[VEX coverage / exceptions expiring soon] A --> G[Data Confidence banner -> Ops Data Integrity] A --> H[Drilldowns -> Findings Explorer] A --> I[Drilldowns -> Vulnerabilities Explorer] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ RISK OVERVIEW │ │ Formerly: Security ▸ Overview (security overview.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL; Jenkins DEGRADED; DLQ runtime 1,230) │ │ [Open Ops → Data Integrity] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Snapshot (24h) │ │ Envs with Crit Reachable: 2 Total Crit Reachable: 3 │ │ Envs SBOM stale/missing: 3 VEX coverage: 62% │ │ Approvals blocked (security): 2 Exceptions expiring < 7d: 4 │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Critical Reachable by Environment │ │ US-East/us-prod: 2 US-East/us-uat: 1 EU-West/eu-prod: 0 APAC/apac-prod: 0 │ │ [Open Findings filtered to Crit Reachable] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Top drivers (click to drill) │ │ CVE-2026-1234 (openssl) → affects user-service in US-East/us-prod (reachable) │ │ CVE-2026-9001 (log4j) → affects api-gateway (not reachable; VEX present) │ │ [Open Vulnerabilities Explorer] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ SBOM posture │ │ Coverage: 98% digests scanned | Freshness: 3 envs > 24h | Pending scans: 1 digest │ │ [Open Findings] [Open SBOM Lake] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ VEX & Exceptions │ │ VEX statements imported (24h): 12 | Exceptions active: 9 | expiring soon: 4 │ │ [Open VEX Hub] [Open Exceptions] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.3 Security screen — Findings Explorer ### Formerly * **Security → Findings** (`findings.png`) (global list; in PoC the table looked empty / placeholder) ### Why changed like this Findings are what matter for release decisions. This screen becomes the primary explorer with **first-class filters**: * Region / Env / Env type * Bundle version (manifest digest) * Component digest * Severity * **Reachability class** (reachable / not reachable / unknown) * **Hybrid evidence presence** (B/I/R) as filters/columns (2nd-class, but not buried) * SBOM freshness status (ok/stale/missing/pending) It also shows a **Data Confidence banner** so you never misread stale results as “clean”. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Findings Explorer] --> B[Finding Detail] A --> C[Filter to Environment -> Env Detail] A --> D[Filter to Bundle Version -> Bundle Version Detail] A --> E[Open Vulnerability Detail] A --> F[Open VEX Hub (statement for CVE)] A --> G[Open Exceptions (waiver scope)] A --> H[Export filtered set -> Evidence Export] A --> I[Data Confidence -> Ops Data Integrity] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ FINDINGS EXPLORER │ │ Formerly: Security ▸ Findings (findings.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL) [Open Data Integrity] │ │ Filters: Region ▾ Env ▾ EnvType ▾ BundleVersion ▾ Severity ▾ Reachability ▾ SBOM ▾ │ │ Hybrid evidence: Build ✓/✗ Image ✓/✗ Runtime ✓/✗ Time window ▾ (24h/7d/30d) │ │ Actions: [Export filtered findings] [Open as Evidence Attachment] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Findings (env‑context) │ │ ┌──────────────┬──────────────┬─────────────┬──────────────┬──────────┬─────────┬───────────┐ │ │ │ Env │ Component │ CVE │ Package │ Severity │ Reach │ B/I/R │ │ │ ├──────────────┼──────────────┼─────────────┼──────────────┼──────────┼─────────┼───────────┤ │ │ │ us-prod │ user-service │ 2026-1234 │ openssl │ CRIT │ YES │ 0/1/0 │ │ │ │ us-uat │ user-service │ 2026-2222 │ glibc │ CRIT │ YES │ 0/1/0 │ │ │ │ us-prod │ api-gateway │ 2026-9001 │ log4j │ HIGH │ NO │ 1/1/1 │ │ │ └──────────────┴──────────────┴─────────────┴──────────────┴──────────┴─────────┴───────────┘ │ │ Click a row → Finding Detail │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.4 Security screen — Finding Detail (new, minimal but necessary) ### Formerly * No explicit “Finding Detail” screen shown; users would pivot: * Vulnerabilities list * SBOM Graph * VEX Hub * Exceptions …without a single “case file.” ### Why changed like this This is the decision artifact: * “Is it reachable?” and **why** (and with what hybrid evidence) * What envs/bundles are impacted * Whether VEX exists / whether an exception exists * Links to approvals blocked by this finding ### Screen graph (Mermaid) ```mermaid flowchart TD A[Finding Detail] --> B[Reachability evidence (B/I/R) + age] A --> C[Impacted envs + bundle versions] A --> D[Related CVE record -> Vulnerability Detail] A --> E[VEX statements -> VEX Hub] A --> F[Exceptions -> Exceptions] A --> G[Blocked approvals -> Approvals] A --> H[Export case -> Evidence Export] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ FINDING DETAIL │ │ Formerly: implicit drilldowns from Findings/Vulnerabilities/SBOM Graph (no unified “case file”) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ CVE: CVE-2026-1234 Package: openssl Severity: CRITICAL │ │ Component: user-service v3.0.0-rc1 digest sha256:2222... │ │ Environment: US-East/us-prod │ │ Reachability: REACHABLE (confidence: MEDIUM) │ │ Hybrid evidence: Build ✗ (missing) | Image ✓ (1h) | Runtime ✗ (26h stale) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Impact │ │ - Environments: us-prod (crit reachable), us-uat (crit reachable) │ │ - Bundle versions: Platform 1.3.0-rc1 (manifest sha256:beef...) │ │ - Approvals blocked: 1 [Open approvals filtered] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Disposition │ │ VEX: none found | Exceptions: none active │ │ Actions: [Create Exception Request] [Search/Import VEX] [Export as Evidence] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.5 Security screen — Vulnerabilities Explorer ### Formerly * **Security → Vulnerabilities** (`vulnerabilities.png`) (CVE catalog list) ### Why changed like this This remains the catalog view, but becomes **release-relevant** by adding: * “impacted environments count” * “crit reachable envs count” * “affected bundle versions count” * quick filters: “only affecting prod”, “only reachable”, “only without VEX”, “only with expiring exception”. Reachability remains **2nd-class**: it’s derived from correlated findings, not a separate domain. ### Screen graph (Mermaid) ```mermaid flowchart TD A[Vulnerabilities Explorer] --> B[Vulnerability Detail] A --> C[Open Findings (filtered by CVE)] A --> D[Open VEX Hub (statements for CVE)] A --> E[Open Exceptions (scoped to CVE)] A --> F[Open SBOM Graph (package path)] A --> G[Export report -> Evidence Export] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ VULNERABILITIES EXPLORER │ │ Formerly: Security ▸ Vulnerabilities (vulnerabilities.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Severity ▾ Has VEX ▾ Has Exception ▾ Reachable in Prod ▾ Window ▾ │ │ Data Confidence banner (if stale): WARN (NVD stale 3h) [Open Data Integrity] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ ┌──────────────┬──────────┬──────────────┬───────────────┬──────────────┬───────────────────┐ │ │ │ CVE │ Severity │ Package │ Impacted envs │ CritR envs │ Disposition │ │ │ ├──────────────┼──────────┼──────────────┼───────────────┼──────────────┼───────────────────┤ │ │ │ 2026-1234 │ CRIT │ openssl │ 2 │ 2 │ no VEX / no exc │ │ │ │ 2026-9001 │ HIGH │ log4j │ 4 │ 0 │ VEX present │ │ │ └──────────────┴──────────┴──────────────┴───────────────┴──────────────┴───────────────────┘ │ │ Click a CVE → Vulnerability Detail │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.6 Security screen — Vulnerability Detail (new, minimal but necessary) ### Formerly * No explicit detail page shown; users used SBOM graph or external CVE pages and then filtered Findings. ### Why changed like this This is the “CVE dossier” inside Stella: * shows where it hits (envs/bundles/components) * reachability distribution * VEX statements and exceptions status * links to SBOM Graph paths and evidence export ### Screen graph (Mermaid) ```mermaid flowchart TD A[Vulnerability Detail] --> B[Impacted envs/bundles/components] A --> C[Reachability distribution] A --> D[VEX statements] A --> E[Exceptions / waivers] A --> F[SBOM Graph path explorer] A --> G[Export as evidence report] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ VULNERABILITY DETAIL: CVE-2026-1234 │ │ Formerly: inferred via Vulnerabilities list + Findings filters + external CVE lookup │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Package: openssl Severity: CRITICAL EPSS/KEV: (if present via feeds) │ │ Data confidence: WARN (NVD stale 3h) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Impact summary │ │ Impacted envs: 2 (Prod impacted: 1) │ │ Findings: 3 total | Reachable: 3 | Not reachable: 0 | Unknown: 0 │ │ Affected components: user-service sha256:2222... │ │ Affected bundle versions: Platform 1.3.0-rc1 (sha256:beef...) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Disposition │ │ VEX: none | Exceptions: none │ │ Actions: [Open Findings] [Open SBOM Graph] [Create Exception] [Export Report] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.7 Security screen — SBOM Lake ### Formerly * **Security → SBOM Lake** (`sbom lake.png`) (raw SBOM index / ingestion storage view) ### Why changed like this Keep it intact, but reframe it as **backend exploration**: * clearly marked as “data plane” * supports filtering by digest / component / bundle version / env * adds a “Used in decisions” panel (which approvals/promotions reference this SBOM snapshot) ### Screen graph (Mermaid) ```mermaid flowchart TD A[SBOM Lake] --> B[SBOM Record Detail (by digest)] A --> C[Pivot to Findings (derived)] A --> D[Pivot to SBOM Graph (relationships)] A --> E[Pivot to Bundle Version Detail] A --> F[Export SBOM snapshot -> Evidence] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ SBOM DATA ▸ SBOM LAKE │ │ Formerly: Security ▸ SBOM Lake (sbom lake.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Purpose: raw SBOM store / index (data plane). Use Findings/Vulns for decision views. │ │ Filters: Digest ▾ Component ▾ BundleVersion ▾ Env ▾ Freshness ▾ │ │ Actions: [Export SBOM snapshot] [Open derived Findings] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ SBOM Records │ │ sha256:1111... api-gateway generated: 2h ago format: SPDX status: OK │ │ sha256:2222... user-service generated: 26h ago format: SPDX status: OK (STALE) │ │ sha256:4444... worker generated: — format: — status: PENDING │ │ Click record → SBOM Record Detail │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.8 Security screen — SBOM Graph ### Formerly * **Security → SBOM Graph** (`sbom graph.png`) (graph traversal of dependencies) ### Why changed like this Keep intact, but make it **decision-connected**: * start from **bundle version** or **env deployed digest** as entry points * show “paths to vulnerable package” * add “show reachable paths only” as an overlay (2nd-class reachability filter) ### Screen graph (Mermaid) ```mermaid flowchart TD A[SBOM Graph] --> B[Select root: env/bundle/digest/package] A --> C[Graph view + path explorer] A --> D[Overlay: highlight vulnerable packages] A --> E[Overlay: reachable-only / evidence source] A --> F[Pivot: open Finding / Vulnerability detail] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ SBOM DATA ▸ SBOM GRAPH │ │ Formerly: Security ▸ SBOM Graph (sbom graph.png) │ ├───────────────────────────────────────────────────────────────────────────────┬──────────────┤ │ Entry point (choose one): │ Overlays │ │ (•) Deployed env: US-East/us-prod │ [x] highlight│ │ ( ) Bundle version: Platform 1.3.0-rc1 │ CVEs │ │ ( ) Digest: sha256:2222... │ [ ] reachable│ │ ( ) Package: openssl │ only │ ├───────────────────────────────────────────────────────────────────────────────┴──────────────┤ │ Graph view (nodes: packages/components; edges: depends-on) │ │ Path explorer: user-service → openssl → … │ │ Click node → [Open Vulnerability] [Open Findings] [Open SBOM record] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.9 Security screen — VEX Hub ### Formerly * **Security → VEX Hub** (`vex hub.png`) (statement ingestion/management) ### Why changed like this Keep intact, but align to governance: * show “statements affecting blocked approvals” * show issuer trust status (links to Evidence → Trust & Signing) * provide “apply VEX to finding” workflow as a controlled action (audited) ### Screen graph (Mermaid) ```mermaid flowchart TD A[VEX Hub] --> B[VEX Statement Detail] A --> C[Filter by CVE/package/component/env] A --> D[Issuer trust -> Trust & Signing] A --> E[Apply statement -> affects Findings] A --> F[Export VEX set -> Evidence] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ VEX & EXCEPTIONS ▸ VEX HUB │ │ Formerly: Security ▸ VEX Hub (vex hub.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Issuer ▾ CVE ▾ Component ▾ Env ▾ Status ▾ │ │ Summary: Statements imported (24h): 12 | affecting blocked approvals: 1 │ │ Issuer trust: 2 trusted / 1 untrusted [Open Trust & Signing] │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Statements │ │ VendorA CVE-2026-9001 status: not affected scope: api-gateway evidence: signed ✓ │ │ InternalSec CVE-2026-1234 status: under investigation scope: user-service signed ✓ │ │ Actions: [Import] [Validate signatures] [Export] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- # 19.10 Security screen — Exceptions ### Formerly * **Security → Exceptions** (`exceptions.png`) (likely waivers, policy exceptions, risk acceptances) ### Why changed like this Keep it intact, but force “release governance shape”: * exceptions are **time-bound**, **scoped** (env/bundle/component/CVE), and **audited** * shows “exceptions expiring soon” prominently * links to approvals using this exception (so you see operational dependency) ### Screen graph (Mermaid) ```mermaid flowchart TD A[Exceptions] --> B[Exception Detail] A --> C[Create exception request] A --> D[Link to Approval / Promotion] A --> E[Link to Finding / Vulnerability] A --> F[Export exception ledger -> Evidence] ``` ### ASCII mock ```text ┌──────────────────────────────────────────────────────────────────────────────────────────────┐ │ SECURITY ▸ VEX & EXCEPTIONS ▸ EXCEPTIONS │ │ Formerly: Security ▸ Exceptions (exceptions.png) │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Filters: Status ▾ Expiring <7d ▾ Env ▾ BundleVersion ▾ CVE ▾ Owner ▾ │ │ Summary: Active: 9 | Expiring soon: 4 | Used by pending approvals: 1 │ ├──────────────────────────────────────────────────────────────────────────────────────────────┤ │ Exceptions (waivers / risk acceptance) │ │ ┌──────────────┬───────────────┬──────────────┬───────────┬───────────────┬─────────────────┐ │ │ │ Scope │ CVE/Issue │ Reason │ Expires │ Approvers │ Used by │ │ │ ├──────────────┼───────────────┼──────────────┼───────────┼───────────────┼─────────────────┤ │ │ │ us-prod │ CVE-2026-9001 │ VEX says not │ 2026-03-01│ sec+relmgr │ 0 approvals │ │ │ │ eu-prod │ policy override│ hotfix window │ 2026-02-20│ sec+relmgr │ 1 approval │ │ │ └──────────────┴───────────────┴──────────────┴───────────┴───────────────┴─────────────────┘ │ │ Actions: [+ Request Exception] [Export ledger] │ └──────────────────────────────────────────────────────────────────────────────────────────────┘ ``` --- ## What this consolidation fixes (in practical terms) * **Decision-first navigation**: security starts with “what blocks releases / where CritR exists”, not raw SBOM tooling. * **Reachability is second-class but visible**: it’s a column/filter everywhere it matters (Findings/Vulns/Detail), not a buried third-class afterthought. * **Audit friendliness**: each screen has explicit export hooks into Evidence (decision packets, exception ledger, filtered findings sets). * **No feature loss**: SBOM Lake/Graph, VEX Hub, Exceptions remain exactly as capabilities—just grouped and linked to approvals/releases/environment context. --- If you want the next pack, **Pack 20** can do the same consolidation for **Evidence & Audit** (Evidence Bundles, Export Center, Replay/Verify, Trust & Signing) so audit outputs are “release/bundle/env centric” and still preserve all PoC screens.