3f3473ee3a
- Implemented ReachabilityCenterComponent for displaying asset reachability status with summary and filtering options. - Added ReachabilityWhyDrawerComponent to show detailed reachability evidence and call paths. - Created unit tests for both components to ensure functionality and correctness. - Updated accessibility test results for the new components.
1.7 KiB
1.7 KiB
VEX Evidence Gateway Contract (draft v0.1)
Scope: expose read-only VEX statement and evidence routes through the Web gateway with tenant scoping, deterministic ordering, and export helpers for offline bundles.
Security / headers
Authorization: Bearer <token>(orDPoPwhere configured)X-StellaOps-Tenant: <tenantId>(required)X-Stella-Project: <projectId>(optional)X-Stella-Trace-Id: <traceId>(optional; clients SHOULD send one)- Scopes:
vex:readfor list/detail/evidencevex:exportfor export handlers
Endpoints
GET /vex/statements— list statements (tenant-scoped).- Query params:
vulnId,status,search,limit,continuationToken
- Query params:
GET /vex/statements/{statementId}— statement detail.GET /vex/statements/{statementId}/evidence— evidence links (signed URLs, optional DSSE).GET /vex/statements/{statementId}/export?format=json|ndjson|spdx|cyclonedx— export helper returning a signed URL and checksums.
Error codes
Gateway maps upstream/validation errors to stable codes for SDK/UI:
ERR_AGG_BAD_REQUEST(400)ERR_AGG_UNAUTHORIZED(401/403)ERR_AGG_NOT_FOUND(404)ERR_AGG_RATE_LIMIT(429)ERR_AGG_UPSTREAM(5xx)ERR_AGG_UNKNOWN(fallback)
Caching & pagination
limitmax:200.- Cursor/paging uses
continuationToken(opaque string). ETagMUST be stable over sorted payload; clients MAY sendIf-None-Match.
Determinism rules
- Ordering: list responses sorted by
(statementId asc)unless specified otherwise; ties break bystatementId. - Timestamps: ISO-8601 UTC.
Samples
docs/api/gateway/samples/vex-statements-list.jsondocs/api/gateway/samples/vex-statement-detail.jsondocs/api/gateway/samples/vex-evidence-list.json