stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/ui/vulnerability-explorer.md
StellaOps Bot d63af51f84
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-26 20:23:28 +02:00

3.1 KiB
Raw Permalink Blame History

Vulnerability Explorer

Imposed rule: Any exported or shared view must include the data sources and overlays applied (VEX, policy, reachability) to avoid out-of-context remediation decisions.

The Vulnerability Explorer provides deterministic tables and grouping to triage, explain, and act on vulns across SBOM graph data and VEX claims.

Table anatomy

  • Default columns: CVE/alias, package (PURL), version, severity, exploitability (EPSS/KEV), reachability, VEX status, fix version, policy verdict, last seen.
  • Sorting: primary by severity (desc), secondary by exploitability score, tertiary by PURL; ties broken by CVE.
  • Pagination: server-driven with stable cursors; page size defaults to 50, override via ?limit=.

Grouping & pivots

  • Group by package, CVE, image, or tenant. Each group shows counts by severity and VEX disposition.
  • “Why am I seeing this?” drawer explains grouping rules and shows upstream data sources for the group.
  • Export follows the active grouping; NDJSON includes group_key, items[], and overlay metadata.

Filters

  • Severity: critical/high/medium/low/none.
  • Exploitability: KEV flag, EPSS bucket, exploit maturity.
  • Reachability: reachable, conditionally reachable, unreachable, unknown.
  • VEX: affected, not_affected, under_investigation, disputed, contested.
  • Fix availability: has fix, no fix, downgrade available.
  • Policy verdict: allow, review, deny, staged verdicts (simulator).
  • Staleness: SBOM age, advisory feed age, VEX claim age.

Why drawer

  • Provides a structured explanation showing: data sources (SBOM digest, overlay epochs), policy inputs, VEX claims contributing to the verdict, and reachability evidence. Includes correlation IDs for API traces.
  • Always shows tenant and graph_cache_epoch to keep exports/audits reproducible.

Fix suggestions

  • Per-row “Fix” chip suggests the nearest patched version and source (vendor vs upstream), plus link to remediation doc if provided by advisory.
  • Bulk fix export produces an actions file: {purl, vuln, recommended_version, source, rationale} with SHA-256 manifest.
  • UI warns when fixes rely on contested VEX claims or stale advisories.

Actions & triage

  • Multi-select with bulk actions: create ticket, generate VEX waiver request, export SBOM diff, or open policy simulator with selected rows.
  • Policy simulator opens with current overlays and generates a simulated verdict for the selection; results can be saved as a “staged policy” view.

Accessibility

  • Keyboard shortcuts: g to toggle grouping, f to focus filters, w to open Why drawer on selected row, / to focus search.
  • Screen reader labels announce VEX and reachability state; focus order matches visual order; table rows support row headers.

Air-gap posture

  • All exports include overlays and cache epochs; offline bundles can be loaded via Import view to replay triage without network.
  • No live CVE enrichment calls from the UI; it relies solely on backend-provided overlays.

Related docs

  • docs/ui/sbom-graph-explorer.md
  • docs/api/graph.md
  • docs/api/vuln.md
  • docs/modules/graph/architecture-index.md