7503c19b8f
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
1.4 KiB
1.4 KiB
Vulnerability Explorer Overview (Detailed)
The Vulnerability Explorer is the evidence-linked triage surface that brings together SBOM facts, advisory/VEX evidence, reachability signals, policy explainability, and operator decisions into a single auditable workflow.
This document complements the high-level guide docs/20_VULNERABILITY_EXPLORER_GUIDE.md with additional detail and cross-links.
Core Objects
- Finding record: the current enriched view of a vulnerability for a specific artifact/context (tenant, artifact/image digest, policy version).
- History: append-only state transitions suitable for audit and replay.
- Triage actions: operator actions (assignment, comment, mitigation note, exception request) with provenance.
- Evidence references: stable pointers to evidence objects (SBOM slices, VEX observations/linksets, reachability proofs, explain traces, attestations).
Key Properties
- Narrative-first: default view answers “Can I ship? If not, why? What’s the smallest safe change?”
- Proof-linked: every important fact links to evidence (no “trust the UI”).
- Quiet by default, never silent: suppression/muting is reversible and auditable.
- Offline-ready: evidence bundles are verifiable without online lookups.
References
- High-level guide:
docs/20_VULNERABILITY_EXPLORER_GUIDE.md - Console operator guide:
docs/15_UI_GUIDE.md - Module dossier:
docs/modules/vuln-explorer/architecture.md