stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/scanner/vulnerability-first-triage-ux-with-exploit-path-grouping.md

5.1 KiB
Raw Blame History

Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles

Module

Scanner (with Attestor proof bundle integration)

Status

IMPLEMENTED

Description

A vulnerability-first triage inbox where findings are grouped by exploit path similarity rather than by CVE or component. Security engineers see clusters of findings that share the same attack vector (entrypoint -> call chain -> sink), enabling batch triage. Backend triage service with DB context, reachability subgraph extraction, exploit path grouping, and proof generation exist. UI triage inbox and queue components are partially complete.

What's Implemented

  • Exploit Path Grouping (Backend):
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs -- interface grouping findings by exploit path similarity
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs -- call chain from entrypoint to vulnerable function
    • src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/ -- unit tests for exploit path grouping logic
  • Triage Database and API:
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageDbContext.cs -- EF Core database context
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageFinding.cs -- finding entity with reachability classification and exploit path reference
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs -- REST API with exploit path grouping support
  • Triage Lanes: TriageEnums.cs -- ACTIVE, BLOCKED, MUTED_REACH, MUTED_VEX
  • Triage Status Service: TriageStatusService.cs -- state transitions across lanes
  • Evidence Integration: ProofBundleEndpoints.cs -- evidence bundles for triage decisions
  • Proof Graph Service: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs (with .Mutation, .Queries, .Subgraph) -- proof graph with subgraph extraction for evidence grouping
  • Micro Witness Evidence: MicroWitnessFunctionEvidence.cs, MicroWitnessBinaryRef.cs, MicroWitnessCveRef.cs -- function-level reachability evidence
  • Reachability Witness Payload: ReachabilityWitnessPayload.cs (with .Path), WitnessCallPathNode.cs -- witness payload with exploit call paths
  • Proof Spine System: ProofSpineRequest.cs, ProofSpineResult.cs -- proof spine for evidence bundle assembly
  • Sigstore/Evidence Pack Builders: SigstoreBundleBuilder.cs, ReleaseEvidencePackBuilder.cs -- builds proof bundles

What's Missing

  • Triage Inbox UI Component: No Angular component implementing the vulnerability-first triage inbox with exploit path cluster view, batch triage actions, cluster expansion, sort/filter by cluster size/severity/reachability
  • Exploit Path Similarity Algorithm: The IExploitPathGroupingService interface exists but the clustering/similarity algorithm completeness is unclear
  • Batch Triage API: No REST endpoint for applying a single triage decision to all findings in an exploit path cluster
  • Cluster Statistics: No API endpoint returning per-cluster severity and reachability distributions
  • Triage Dashboard: No dashboard showing triage progress (clusters triaged vs. remaining, MTTR per cluster)
  • Triage Action Workflow: No triage action buttons (accept risk, suppress, escalate, remediate) with DSSE-signed action records
  • Triage Priority Scoring: No scoring that prioritizes vulnerabilities by exploit path depth and reachability confidence
  • Inline Proof Bundle Viewer: No inline viewer showing proof bundle contents (DSSE envelope, Rekor receipt, Merkle proof) within the triage UI

Implementation Plan

  • Complete exploit path similarity algorithm using common call-chain prefix grouping with configurable similarity threshold
  • Add BatchTriageEndpoints for applying triage decisions to entire exploit path clusters
  • Add cluster statistics endpoint returning per-cluster severity and reachability distributions
  • Create TriageInboxComponent in src/Web/ with exploit path cluster view, batch actions, and filtering
  • Implement triage action workflow with DSSE-signed action records
  • Add triage priority scoring based on path depth and confidence
  • Build inline proof bundle viewer
  • Create triage dashboard with progress metrics
  • Add e2e tests for grouping, triage actions, and batch operations

E2E Test Plan

  • Open triage inbox and verify findings are grouped by exploit path similarity
  • Expand a cluster and verify all individual findings with CVE, severity, and reachability tier
  • Apply batch "mute" action to entire cluster and verify all findings move to MUTED_REACH lane
  • Sort clusters by highest severity and verify correct ordering
  • Filter clusters by reachability tier "Confirmed"
  • Open triage dashboard and verify correct counts
  • Verify batch triage API returns correct affected finding count

Related Documentation

  • Triage infrastructure: src/Scanner/__Libraries/StellaOps.Scanner.Triage/
  • Proof graph: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/

Merged From

  • attestor/vulnerability-first-triage-ux-with-exploit-path-grouping-and-proof-bundles.md (deleted)