77 lines
5.3 KiB
Markdown
77 lines
5.3 KiB
Markdown
# Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles
|
|
|
|
## Module
|
|
Scanner (with Attestor proof bundle integration)
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
A vulnerability-first triage inbox where findings are grouped by exploit path similarity rather than by CVE or component. Security engineers see clusters of findings that share the same attack vector (entrypoint -> call chain -> sink), enabling batch triage. Backend triage service with DB context, reachability subgraph extraction, exploit path grouping, and proof generation exist. UI triage inbox and queue components are partially complete.
|
|
|
|
## What's Implemented
|
|
- **Exploit Path Grouping (Backend)**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs` -- interface grouping findings by exploit path similarity
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs` -- call chain from entrypoint to vulnerable function
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/` -- unit tests for exploit path grouping logic
|
|
- **Triage Database and API**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageDbContext.cs` -- EF Core database context
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageFinding.cs` -- finding entity with reachability classification and exploit path reference
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs` -- REST API with exploit path grouping support
|
|
- **Triage Lanes**: `TriageEnums.cs` -- ACTIVE, BLOCKED, MUTED_REACH, MUTED_VEX
|
|
- **Triage Status Service**: `TriageStatusService.cs` -- state transitions across lanes
|
|
- **Evidence Integration**: `ProofBundleEndpoints.cs` -- evidence bundles for triage decisions
|
|
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- proof graph with subgraph extraction for evidence grouping
|
|
- **Micro Witness Evidence**: `MicroWitnessFunctionEvidence.cs`, `MicroWitnessBinaryRef.cs`, `MicroWitnessCveRef.cs` -- function-level reachability evidence
|
|
- **Reachability Witness Payload**: `ReachabilityWitnessPayload.cs` (with `.Path`), `WitnessCallPathNode.cs` -- witness payload with exploit call paths
|
|
- **Proof Spine System**: `ProofSpineRequest.cs`, `ProofSpineResult.cs` -- proof spine for evidence bundle assembly
|
|
- **Sigstore/Evidence Pack Builders**: `SigstoreBundleBuilder.cs`, `ReleaseEvidencePackBuilder.cs` -- builds proof bundles
|
|
|
|
## What's Missing
|
|
- **Triage Inbox UI Component**: No Angular component implementing the vulnerability-first triage inbox with exploit path cluster view, batch triage actions, cluster expansion, sort/filter by cluster size/severity/reachability
|
|
- **Exploit Path Similarity Algorithm**: The `IExploitPathGroupingService` interface exists but the clustering/similarity algorithm completeness is unclear
|
|
- **Batch Triage API**: No REST endpoint for applying a single triage decision to all findings in an exploit path cluster
|
|
- **Cluster Statistics**: No API endpoint returning per-cluster severity and reachability distributions
|
|
- **Triage Dashboard**: No dashboard showing triage progress (clusters triaged vs. remaining, MTTR per cluster)
|
|
- **Triage Action Workflow**: No triage action buttons (accept risk, suppress, escalate, remediate) with DSSE-signed action records
|
|
- **Triage Priority Scoring**: No scoring that prioritizes vulnerabilities by exploit path depth and reachability confidence
|
|
- **Inline Proof Bundle Viewer**: No inline viewer showing proof bundle contents (DSSE envelope, Rekor receipt, Merkle proof) within the triage UI
|
|
|
|
## Implementation Plan
|
|
- Complete exploit path similarity algorithm using common call-chain prefix grouping with configurable similarity threshold
|
|
- Add `BatchTriageEndpoints` for applying triage decisions to entire exploit path clusters
|
|
- Add cluster statistics endpoint returning per-cluster severity and reachability distributions
|
|
- Create `TriageInboxComponent` in `src/Web/` with exploit path cluster view, batch actions, and filtering
|
|
- Implement triage action workflow with DSSE-signed action records
|
|
- Add triage priority scoring based on path depth and confidence
|
|
- Build inline proof bundle viewer
|
|
- Create triage dashboard with progress metrics
|
|
- Add e2e tests for grouping, triage actions, and batch operations
|
|
|
|
## E2E Test Plan
|
|
- [ ] Open triage inbox and verify findings are grouped by exploit path similarity
|
|
- [ ] Expand a cluster and verify all individual findings with CVE, severity, and reachability tier
|
|
- [ ] Apply batch "mute" action to entire cluster and verify all findings move to MUTED_REACH lane
|
|
- [ ] Sort clusters by highest severity and verify correct ordering
|
|
- [ ] Filter clusters by reachability tier "Confirmed"
|
|
- [ ] Open triage dashboard and verify correct counts
|
|
- [ ] Verify batch triage API returns correct affected finding count
|
|
|
|
## Related Documentation
|
|
- Triage infrastructure: `src/Scanner/__Libraries/StellaOps.Scanner.Triage/`
|
|
- Proof graph: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/`
|
|
|
|
## Merged From
|
|
- `attestor/vulnerability-first-triage-ux-with-exploit-path-grouping-and-proof-bundles.md` (deleted)
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|