36 KiB
36 KiB
Pack 19 — Security consolidated around release decisions + audit outputs (preserving all PoC screens; reachability stays 2nd‑class)
Below:
-
Security menu graph (Mermaid)
-
For each screen:
- Formerly (old name/location)
- Why moved/reshaped
- Screen navigation graph (Mermaid)
- ASCII mock
19.1 Security menu graph (Mermaid)
This keeps every PoC screen, but organizes them in a “Stella Ops” order: decision‑centric first, then exploration, then data backends, then attestations/waivers.
flowchart TD
SEC[Security (ROOT)] --> SEC_OV[Risk Overview]
SEC --> SEC_FIND[Findings Explorer]
SEC --> SEC_VULN[Vulnerabilities Explorer]
SEC --> SEC_SBOM[SBOM Data]
SEC_SBOM --> SEC_LAKE[SBOM Lake]
SEC_SBOM --> SEC_GRAPH[SBOM Graph]
SEC --> SEC_VEX[VEX & Exceptions]
SEC_VEX --> SEC_VEXH[VEX Hub]
SEC_VEX --> SEC_EXC[Exceptions]
%% Cross-links (no duplication)
SEC_OV -. "data confidence" .-> OPS_DI[Ops: Data Integrity]
SEC_FIND -. "open env" .-> RC_ENV[Release Control: Env Detail]
SEC_FIND -. "open bundle version" .-> BVER[Bundles: Bundle Version Detail]
SEC_FIND -. "export decision pack" .-> EVID[Evidence: Export Center]
SEC_VULN -. "graph" .-> SEC_GRAPH
SEC_EXC -. "approval gating" .-> APPR[Approvals]
SEC_VEXH -. "issuer trust" .-> TRUST[Evidence: Trust & Signing]
Key consolidation rule:
- Findings = “what is actually present in a specific env/bundle/digest, and is it reachable?”
- Vulnerabilities = “the CVE/catalog view (global), then drill down to where it hits.”
- SBOM Lake/Graph = storage/exploration backends (kept, but demoted under “SBOM Data”).
- VEX/Exceptions = disposition/waiver layer tied to approvals and audit.
19.2 Security screen — Risk Overview
Formerly
- Security → Overview (
security overview.png) (cards and summary, not tightly tied to env/bundle decision outcomes)
Why changed like this
This becomes the security commander’s “brief”: what blocks promotions, which envs have critical reachable, SBOM freshness/coverage, VEX/exceptions posture, and data confidence (feeds/jobs/integrations).
Reachability is not promoted to a top-level area; it appears as:
- summary metrics
- filters
- drilldowns into Findings.
Screen graph (Mermaid)
flowchart TD
A[Security: Risk Overview] --> B[Critical reachable by environment]
A --> C[Blocked approvals due to security]
A --> D[SBOM coverage & freshness summary]
A --> E[Top CVEs impacting deployed bundles]
A --> F[VEX coverage / exceptions expiring soon]
A --> G[Data Confidence banner -> Ops Data Integrity]
A --> H[Drilldowns -> Findings Explorer]
A --> I[Drilldowns -> Vulnerabilities Explorer]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ RISK OVERVIEW │
│ Formerly: Security ▸ Overview (security overview.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL; Jenkins DEGRADED; DLQ runtime 1,230) │
│ [Open Ops → Data Integrity] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Snapshot (24h) │
│ Envs with Crit Reachable: 2 Total Crit Reachable: 3 │
│ Envs SBOM stale/missing: 3 VEX coverage: 62% │
│ Approvals blocked (security): 2 Exceptions expiring < 7d: 4 │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Critical Reachable by Environment │
│ US-East/us-prod: 2 US-East/us-uat: 1 EU-West/eu-prod: 0 APAC/apac-prod: 0 │
│ [Open Findings filtered to Crit Reachable] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Top drivers (click to drill) │
│ CVE-2026-1234 (openssl) → affects user-service in US-East/us-prod (reachable) │
│ CVE-2026-9001 (log4j) → affects api-gateway (not reachable; VEX present) │
│ [Open Vulnerabilities Explorer] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ SBOM posture │
│ Coverage: 98% digests scanned | Freshness: 3 envs > 24h | Pending scans: 1 digest │
│ [Open Findings] [Open SBOM Lake] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ VEX & Exceptions │
│ VEX statements imported (24h): 12 | Exceptions active: 9 | expiring soon: 4 │
│ [Open VEX Hub] [Open Exceptions] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.3 Security screen — Findings Explorer
Formerly
- Security → Findings (
findings.png) (global list; in PoC the table looked empty / placeholder)
Why changed like this
Findings are what matter for release decisions. This screen becomes the primary explorer with first-class filters:
- Region / Env / Env type
- Bundle version (manifest digest)
- Component digest
- Severity
- Reachability class (reachable / not reachable / unknown)
- Hybrid evidence presence (B/I/R) as filters/columns (2nd-class, but not buried)
- SBOM freshness status (ok/stale/missing/pending)
It also shows a Data Confidence banner so you never misread stale results as “clean”.
Screen graph (Mermaid)
flowchart TD
A[Findings Explorer] --> B[Finding Detail]
A --> C[Filter to Environment -> Env Detail]
A --> D[Filter to Bundle Version -> Bundle Version Detail]
A --> E[Open Vulnerability Detail]
A --> F[Open VEX Hub (statement for CVE)]
A --> G[Open Exceptions (waiver scope)]
A --> H[Export filtered set -> Evidence Export]
A --> I[Data Confidence -> Ops Data Integrity]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ FINDINGS EXPLORER │
│ Formerly: Security ▸ Findings (findings.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL) [Open Data Integrity] │
│ Filters: Region ▾ Env ▾ EnvType ▾ BundleVersion ▾ Severity ▾ Reachability ▾ SBOM ▾ │
│ Hybrid evidence: Build ✓/✗ Image ✓/✗ Runtime ✓/✗ Time window ▾ (24h/7d/30d) │
│ Actions: [Export filtered findings] [Open as Evidence Attachment] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Findings (env‑context) │
│ ┌──────────────┬──────────────┬─────────────┬──────────────┬──────────┬─────────┬───────────┐ │
│ │ Env │ Component │ CVE │ Package │ Severity │ Reach │ B/I/R │ │
│ ├──────────────┼──────────────┼─────────────┼──────────────┼──────────┼─────────┼───────────┤ │
│ │ us-prod │ user-service │ 2026-1234 │ openssl │ CRIT │ YES │ 0/1/0 │ │
│ │ us-uat │ user-service │ 2026-2222 │ glibc │ CRIT │ YES │ 0/1/0 │ │
│ │ us-prod │ api-gateway │ 2026-9001 │ log4j │ HIGH │ NO │ 1/1/1 │ │
│ └──────────────┴──────────────┴─────────────┴──────────────┴──────────┴─────────┴───────────┘ │
│ Click a row → Finding Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.4 Security screen — Finding Detail (new, minimal but necessary)
Formerly
-
No explicit “Finding Detail” screen shown; users would pivot:
- Vulnerabilities list
- SBOM Graph
- VEX Hub
- Exceptions …without a single “case file.”
Why changed like this
This is the decision artifact:
- “Is it reachable?” and why (and with what hybrid evidence)
- What envs/bundles are impacted
- Whether VEX exists / whether an exception exists
- Links to approvals blocked by this finding
Screen graph (Mermaid)
flowchart TD
A[Finding Detail] --> B[Reachability evidence (B/I/R) + age]
A --> C[Impacted envs + bundle versions]
A --> D[Related CVE record -> Vulnerability Detail]
A --> E[VEX statements -> VEX Hub]
A --> F[Exceptions -> Exceptions]
A --> G[Blocked approvals -> Approvals]
A --> H[Export case -> Evidence Export]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ FINDING DETAIL │
│ Formerly: implicit drilldowns from Findings/Vulnerabilities/SBOM Graph (no unified “case file”) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVE: CVE-2026-1234 Package: openssl Severity: CRITICAL │
│ Component: user-service v3.0.0-rc1 digest sha256:2222... │
│ Environment: US-East/us-prod │
│ Reachability: REACHABLE (confidence: MEDIUM) │
│ Hybrid evidence: Build ✗ (missing) | Image ✓ (1h) | Runtime ✗ (26h stale) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Impact │
│ - Environments: us-prod (crit reachable), us-uat (crit reachable) │
│ - Bundle versions: Platform 1.3.0-rc1 (manifest sha256:beef...) │
│ - Approvals blocked: 1 [Open approvals filtered] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Disposition │
│ VEX: none found | Exceptions: none active │
│ Actions: [Create Exception Request] [Search/Import VEX] [Export as Evidence] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.5 Security screen — Vulnerabilities Explorer
Formerly
- Security → Vulnerabilities (
vulnerabilities.png) (CVE catalog list)
Why changed like this
This remains the catalog view, but becomes release-relevant by adding:
- “impacted environments count”
- “crit reachable envs count”
- “affected bundle versions count”
- quick filters: “only affecting prod”, “only reachable”, “only without VEX”, “only with expiring exception”.
Reachability remains 2nd-class: it’s derived from correlated findings, not a separate domain.
Screen graph (Mermaid)
flowchart TD
A[Vulnerabilities Explorer] --> B[Vulnerability Detail]
A --> C[Open Findings (filtered by CVE)]
A --> D[Open VEX Hub (statements for CVE)]
A --> E[Open Exceptions (scoped to CVE)]
A --> F[Open SBOM Graph (package path)]
A --> G[Export report -> Evidence Export]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VULNERABILITIES EXPLORER │
│ Formerly: Security ▸ Vulnerabilities (vulnerabilities.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Severity ▾ Has VEX ▾ Has Exception ▾ Reachable in Prod ▾ Window ▾ │
│ Data Confidence banner (if stale): WARN (NVD stale 3h) [Open Data Integrity] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────┬──────────┬──────────────┬───────────────┬──────────────┬───────────────────┐ │
│ │ CVE │ Severity │ Package │ Impacted envs │ CritR envs │ Disposition │ │
│ ├──────────────┼──────────┼──────────────┼───────────────┼──────────────┼───────────────────┤ │
│ │ 2026-1234 │ CRIT │ openssl │ 2 │ 2 │ no VEX / no exc │ │
│ │ 2026-9001 │ HIGH │ log4j │ 4 │ 0 │ VEX present │ │
│ └──────────────┴──────────┴──────────────┴───────────────┴──────────────┴───────────────────┘ │
│ Click a CVE → Vulnerability Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.6 Security screen — Vulnerability Detail (new, minimal but necessary)
Formerly
- No explicit detail page shown; users used SBOM graph or external CVE pages and then filtered Findings.
Why changed like this
This is the “CVE dossier” inside Stella:
- shows where it hits (envs/bundles/components)
- reachability distribution
- VEX statements and exceptions status
- links to SBOM Graph paths and evidence export
Screen graph (Mermaid)
flowchart TD
A[Vulnerability Detail] --> B[Impacted envs/bundles/components]
A --> C[Reachability distribution]
A --> D[VEX statements]
A --> E[Exceptions / waivers]
A --> F[SBOM Graph path explorer]
A --> G[Export as evidence report]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITY DETAIL: CVE-2026-1234 │
│ Formerly: inferred via Vulnerabilities list + Findings filters + external CVE lookup │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Package: openssl Severity: CRITICAL EPSS/KEV: (if present via feeds) │
│ Data confidence: WARN (NVD stale 3h) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Impact summary │
│ Impacted envs: 2 (Prod impacted: 1) │
│ Findings: 3 total | Reachable: 3 | Not reachable: 0 | Unknown: 0 │
│ Affected components: user-service sha256:2222... │
│ Affected bundle versions: Platform 1.3.0-rc1 (sha256:beef...) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Disposition │
│ VEX: none | Exceptions: none │
│ Actions: [Open Findings] [Open SBOM Graph] [Create Exception] [Export Report] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.7 Security screen — SBOM Lake
Formerly
- Security → SBOM Lake (
sbom lake.png) (raw SBOM index / ingestion storage view)
Why changed like this
Keep it intact, but reframe it as backend exploration:
- clearly marked as “data plane”
- supports filtering by digest / component / bundle version / env
- adds a “Used in decisions” panel (which approvals/promotions reference this SBOM snapshot)
Screen graph (Mermaid)
flowchart TD
A[SBOM Lake] --> B[SBOM Record Detail (by digest)]
A --> C[Pivot to Findings (derived)]
A --> D[Pivot to SBOM Graph (relationships)]
A --> E[Pivot to Bundle Version Detail]
A --> F[Export SBOM snapshot -> Evidence]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ SBOM DATA ▸ SBOM LAKE │
│ Formerly: Security ▸ SBOM Lake (sbom lake.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Purpose: raw SBOM store / index (data plane). Use Findings/Vulns for decision views. │
│ Filters: Digest ▾ Component ▾ BundleVersion ▾ Env ▾ Freshness ▾ │
│ Actions: [Export SBOM snapshot] [Open derived Findings] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ SBOM Records │
│ sha256:1111... api-gateway generated: 2h ago format: SPDX status: OK │
│ sha256:2222... user-service generated: 26h ago format: SPDX status: OK (STALE) │
│ sha256:4444... worker generated: — format: — status: PENDING │
│ Click record → SBOM Record Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.8 Security screen — SBOM Graph
Formerly
- Security → SBOM Graph (
sbom graph.png) (graph traversal of dependencies)
Why changed like this
Keep intact, but make it decision-connected:
- start from bundle version or env deployed digest as entry points
- show “paths to vulnerable package”
- add “show reachable paths only” as an overlay (2nd-class reachability filter)
Screen graph (Mermaid)
flowchart TD
A[SBOM Graph] --> B[Select root: env/bundle/digest/package]
A --> C[Graph view + path explorer]
A --> D[Overlay: highlight vulnerable packages]
A --> E[Overlay: reachable-only / evidence source]
A --> F[Pivot: open Finding / Vulnerability detail]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ SBOM DATA ▸ SBOM GRAPH │
│ Formerly: Security ▸ SBOM Graph (sbom graph.png) │
├───────────────────────────────────────────────────────────────────────────────┬──────────────┤
│ Entry point (choose one): │ Overlays │
│ (•) Deployed env: US-East/us-prod │ [x] highlight│
│ ( ) Bundle version: Platform 1.3.0-rc1 │ CVEs │
│ ( ) Digest: sha256:2222... │ [ ] reachable│
│ ( ) Package: openssl │ only │
├───────────────────────────────────────────────────────────────────────────────┴──────────────┤
│ Graph view (nodes: packages/components; edges: depends-on) │
│ Path explorer: user-service → openssl → … │
│ Click node → [Open Vulnerability] [Open Findings] [Open SBOM record] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.9 Security screen — VEX Hub
Formerly
- Security → VEX Hub (
vex hub.png) (statement ingestion/management)
Why changed like this
Keep intact, but align to governance:
- show “statements affecting blocked approvals”
- show issuer trust status (links to Evidence → Trust & Signing)
- provide “apply VEX to finding” workflow as a controlled action (audited)
Screen graph (Mermaid)
flowchart TD
A[VEX Hub] --> B[VEX Statement Detail]
A --> C[Filter by CVE/package/component/env]
A --> D[Issuer trust -> Trust & Signing]
A --> E[Apply statement -> affects Findings]
A --> F[Export VEX set -> Evidence]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX & EXCEPTIONS ▸ VEX HUB │
│ Formerly: Security ▸ VEX Hub (vex hub.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Issuer ▾ CVE ▾ Component ▾ Env ▾ Status ▾ │
│ Summary: Statements imported (24h): 12 | affecting blocked approvals: 1 │
│ Issuer trust: 2 trusted / 1 untrusted [Open Trust & Signing] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Statements │
│ VendorA CVE-2026-9001 status: not affected scope: api-gateway evidence: signed ✓ │
│ InternalSec CVE-2026-1234 status: under investigation scope: user-service signed ✓ │
│ Actions: [Import] [Validate signatures] [Export] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
19.10 Security screen — Exceptions
Formerly
- Security → Exceptions (
exceptions.png) (likely waivers, policy exceptions, risk acceptances)
Why changed like this
Keep it intact, but force “release governance shape”:
- exceptions are time-bound, scoped (env/bundle/component/CVE), and audited
- shows “exceptions expiring soon” prominently
- links to approvals using this exception (so you see operational dependency)
Screen graph (Mermaid)
flowchart TD
A[Exceptions] --> B[Exception Detail]
A --> C[Create exception request]
A --> D[Link to Approval / Promotion]
A --> E[Link to Finding / Vulnerability]
A --> F[Export exception ledger -> Evidence]
ASCII mock
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX & EXCEPTIONS ▸ EXCEPTIONS │
│ Formerly: Security ▸ Exceptions (exceptions.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Status ▾ Expiring <7d ▾ Env ▾ BundleVersion ▾ CVE ▾ Owner ▾ │
│ Summary: Active: 9 | Expiring soon: 4 | Used by pending approvals: 1 │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Exceptions (waivers / risk acceptance) │
│ ┌──────────────┬───────────────┬──────────────┬───────────┬───────────────┬─────────────────┐ │
│ │ Scope │ CVE/Issue │ Reason │ Expires │ Approvers │ Used by │ │
│ ├──────────────┼───────────────┼──────────────┼───────────┼───────────────┼─────────────────┤ │
│ │ us-prod │ CVE-2026-9001 │ VEX says not │ 2026-03-01│ sec+relmgr │ 0 approvals │ │
│ │ eu-prod │ policy override│ hotfix window │ 2026-02-20│ sec+relmgr │ 1 approval │ │
│ └──────────────┴───────────────┴──────────────┴───────────┴───────────────┴─────────────────┘ │
│ Actions: [+ Request Exception] [Export ledger] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
What this consolidation fixes (in practical terms)
- Decision-first navigation: security starts with “what blocks releases / where CritR exists”, not raw SBOM tooling.
- Reachability is second-class but visible: it’s a column/filter everywhere it matters (Findings/Vulns/Detail), not a buried third-class afterthought.
- Audit friendliness: each screen has explicit export hooks into Evidence (decision packets, exception ledger, filtered findings sets).
- No feature loss: SBOM Lake/Graph, VEX Hub, Exceptions remain exactly as capabilities—just grouped and linked to approvals/releases/environment context.
If you want the next pack, Pack 20 can do the same consolidation for Evidence & Audit (Evidence Bundles, Export Center, Replay/Verify, Trust & Signing) so audit outputs are “release/bundle/env centric” and still preserve all PoC screens.