# Analytics Console (SBOM Lake) The Console exposes SBOM analytics lake data under `Analytics > SBOM Lake`. This view is read-only and uses the analytics API endpoints documented in `docs/modules/analytics/README.md`. ## Access - Route: `/analytics/sbom-lake` - Required scopes: `ui.read` and `analytics.read` - Console admin bundles: `role/analytics-viewer`, `role/analytics-operator`, `role/analytics-admin` - Data freshness: the page surfaces the latest `dataAsOf` timestamp returned by the API. ## Filters The SBOM Lake page supports three filters that round-trip via URL query parameters: - Environment: `env` (optional, example: `Prod`) - Minimum severity: `severity` (optional, example: `high`) - Time window (days): `days` (optional, example: `90`) When a filter changes, the Console reloads all panels using the updated parameters. Supplier and license panels honor the environment filter alongside the other views. ## Panels The dashboard presents four summary panels: 1. Supplier concentration (top suppliers by component count) 2. License distribution (license categories and counts) 3. Vulnerability exposure (top CVEs after VEX adjustments) 4. Attestation coverage (provenance and SLSA 2+ coverage) Each panel shows a loading state, empty state, and summary counts. ## Trends Two trend panels are included: - Vulnerability trend: net exposure over the selected time window - Component trend: total components and unique suppliers The Console aggregates trend points by date and renders a simple bar chart plus a compact list. ## Fixable Backlog The fixable backlog table lists vulnerabilities with fixes available, grouped by component and service. The "Top backlog components" table derives a component summary from the same backlog data. ### CSV Export The "Export backlog CSV" action downloads a deterministic, ordered CSV with: - Service - Component - Version - Vulnerability - Severity - Environment - Fixed version ## Troubleshooting - If panels show "No data", verify that the analytics schema and materialized views are populated. - If an error banner appears, check the analytics API availability and ensure the tenant has `analytics.read`.