Exploit Path Grouping Service (Attack Chain Triage)

Module

Scanner

Status

VERIFIED

Description

Groups vulnerability findings into exploit paths based on (artifact, package, vulnerable symbol, entry point) tuples with deterministic SHA-256 path IDs. Correlates reachability evidence, VEX status, and active exceptions per path. Falls back to package-level grouping when no reachability data is available. Sorted by aggregated risk score.

Implementation Details

Core Service:
- src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs - Interface for exploit path grouping
- src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs - Exploit path model with deterministic SHA-256 path IDs
API Integration:
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs - Triage inbox with exploit path grouping
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/ProofBundleEndpoints.cs - Proof bundle endpoints including exploit path summaries (ExploitPathSummary)

E2E Test Plan

Scan an image with multiple vulnerabilities sharing the same entry point and verify they are grouped into a single exploit path
Verify exploit path IDs are deterministic SHA-256 hashes of (artifact, package, vulnerable symbol, entry point) tuples
Verify each exploit path correlates reachability evidence, VEX status, and active exceptions
Verify fallback to package-level grouping when no reachability data is available
Verify exploit paths are sorted by aggregated risk score (highest first)
Query the triage inbox via API and verify grouped findings are returned

Verification

Check	Result
Tier 0 - Source files exist	PASS
Tier 1 - Build + code review	PASS
Tier 2 - Integration tests	PASS
Verified	2026-02-13T18:10:00Z

1.9 KiB Raw Blame History