Stack-Trace/Exploit Path View

Module

Scanner

Status

IMPLEMENTED

Description

A dedicated "Stack-Trace Lens" UX component that renders exploit paths as interactive stack-trace visualizations, allowing security engineers to trace the call chain from entrypoint to vulnerable function. Combines backend exploit path grouping with a frontend visualization component.

What's Implemented

Exploit Path Grouping (Backend):
- src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs - IExploitPathGroupingService interface for grouping triage findings by their exploit path similarity
- src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs - ExploitPath model representing a call chain from entrypoint to vulnerable function
Path Explanation (Backend):
- src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathExplanationService.cs - PathExplanationService generating human-readable explanations of reachability paths
- src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathRenderer.cs - PathRenderer rendering call-graph paths as structured output (text, JSON, diagram-ready format)
Triage API:
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs - TriageInboxEndpoints REST API serving triage findings with exploit path data to frontend consumers
Call Path Models:
- src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/WitnessCallPathNode.cs - WitnessCallPathNode model for individual nodes in a call path
- src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/WitnessPathNode.cs - WitnessPathNode model for path traversal nodes

What's Missing

Stack-Trace Lens UI Component: No dedicated Angular component in src/Web/ that renders exploit paths as interactive stack-trace visualizations with:
- Collapsible call-chain frames (entrypoint -> intermediate calls -> vulnerable function)
- Syntax-highlighted source snippets at each frame (when source mapping is available)
- Reachability tier badge per frame (Confirmed/Likely/Present)
- Click-to-expand frame details (file path, line number, function signature)
Path Comparison View: No side-by-side comparison of multiple exploit paths reaching the same vulnerable function from different entrypoints
Path Sharing/Export: No URL-addressable deep links to specific exploit paths for sharing in issue trackers
Path Filtering: No filtering of exploit paths by reachability confidence, entrypoint type, or path length

Implementation Plan

Create ExploitPathViewComponent in src/Web/ as an Angular component consuming the TriageInboxEndpoints exploit path API
Implement collapsible stack-frame rendering with entrypoint -> call chain -> sink visualization
Add source snippet rendering using source-map data when available from the scanner
Add reachability tier badges per frame using the PathExplanationService output
Implement path comparison view for vulnerabilities with multiple exploit paths
Add deep-link URL routing for direct navigation to specific exploit paths
Add path filtering controls (confidence tier, entrypoint type, path length)

E2E Test Plan

Navigate to a triage finding with a known exploit path and verify the Stack-Trace Lens component renders the full call chain from entrypoint to vulnerable function
Verify each frame in the stack trace shows the correct function signature, file path, and reachability tier badge
Click to expand a frame and verify source snippet is displayed (when source mapping is available)
Verify collapsing intermediate frames hides call chain details while keeping entrypoint and sink visible
Open the path comparison view for a vulnerability with multiple exploit paths and verify side-by-side rendering
Copy the deep link URL for a specific exploit path, navigate to it in a new browser tab, and verify the same path is displayed
Apply path filtering by reachability confidence and verify only paths matching the selected tier are shown

Source: See feature catalog
Architecture: docs/modules/scanner/architecture.md

4.2 KiB Raw Blame History